SUSE openSUSE Tumbleweed smb4k Argument Injection Vulnerability Allowing Arbitrary Unmounts

A vulnerability in the smb4k mount helper component of openSUSE Tumbleweed has been identified, allowing local users to perform arbitrary unmounts. This issue arises from improper input validation, enabling exploitation through the KAuth D-Bus interface. The vulnerability could lead to a local root exploit if the attacker can control the contents of a mounted Samba share.

Impact

Exploitation of this vulnerability allows local users to unmount arbitrary file systems, potentially causing a system outage. In certain contexts, it could lead to information leaks or privilege escalation.

Reproduction

The vulnerability can be reproduced by invoking the smb4k mount helper's unmount function via D-Bus, with a path that does not match any existing Samba mounts. This bypasses the helper's verification logic, allowing the unmounting of arbitrary file systems.

Remediation

Users can update to smb4k version 4.0.5, which addresses the vulnerability by implementing proper input validation and restricting unmount actions to predefined directories.