CVE-2021-20316: 
Kerberos vulnerability analysis and mitigation

CVE-2021-20316 affects all versions of the Samba file server prior to 4.15.0. The vulnerability involves a flaw in how Samba handles file/directory metadata, allowing an authenticated attacker with permissions to read or modify share metadata to perform these operations outside of the exported share (Samba Advisory).

The vulnerability is a symlink race condition that can be exploited through SMB1 or NFS protocols. Clients with write access to the exported file system can create symlinks that race the server by renaming an existing path and replacing it with a symlink. If successful, the attacker can read or modify file or directory metadata on the symlink target, including attributes like timestamps, extended attributes, permissions, and ownership. The vulnerability has a CVSS v3.1 base score of 6.8 (MEDIUM) with vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (NVD, Samba Advisory).

If exploited, this vulnerability allows authenticated users to access or modify filesystem metadata in areas of the server file system not exported under the share definition. The attacker must have permissions to read or modify the metadata of the target file or directory. The race condition is described as difficult to win, particularly under normal server conditions (Samba Advisory).

For unpatched versions, several mitigations are available: 1) Disable SMB1 (disabled by default in Samba 4.11.0 and later), 2) Add 'unix extensions = no' to the [global] section of smb.conf if SMB1 must be enabled, 3) Only export areas of the file system by either SMB2 or NFS, not both. The permanent fix was implemented in Samba 4.15.0 through a complete rewrite of the Samba VFS layer to use handle-based operations instead of pathname-based calls (Samba Advisory).