CVE-2021-43566: 
Kerberos vulnerability analysis and mitigation

All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race condition that allows directory creation in areas of the server file system not exported under the share definition. The vulnerability, identified as CVE-2021-43566, was discovered by Michael Hanselmann of Google and affects the Samba file server's directory creation mechanism (Samba Security).

The vulnerability exploits a race condition where clients with write access to the exported part of the file system via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race, it can cause the server to create a directory under the new symlink target after the exported share path check has been completed. The symlink target can point to anywhere on the server file system. The CVSS v3.1 base score is 2.6 (Low) with vector: AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N (Samba Security).

If successfully exploited, an authenticated user with permissions to create directories can create directories outside of their intended share location. The authenticated user must have permissions to create a directory under the target directory of the symlink. While the race is difficult to win and has not been seen exploited in the wild, it poses a potential security risk by allowing directory creation outside of intended boundaries (Samba Security).

Several mitigation options are available: 1) Do not enable SMB1 (disabled by default in Samba from version 4.11.0 onwards), 2) If SMB1 must be enabled, add 'unix extensions = no' to the [global] section of smb.conf and restart smbd, 3) For non-patched versions, only export areas of the file system by either SMB2 or NFS, not both. The permanent fix is to upgrade to Samba version 4.13.16 or later (Samba Security).