CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
76.1%
On a Samba SMB server for all versions of Samba from 4.9.0 clients are
able to escape outside the share root directory if certain
configuration parameters set in the smb.conf file.
The problem is reproducable if the βwide linksβ option is explicitly
set to βyesβ and either βunix extensions = noβ or βallow insecure wide
links = yesβ is set in addition.
If a client has no permissions to enter the share root directory it
will get ACCESS_DENIED on the first request. However smbd has a cache
that remembers if it successfully changed to a directory. This cache
was not being reset on failure. The following SMB request will then
silently operate in the wrong directory instead of returning
ACCESS_DENIED. That directory is either the share root directory of a
different share the client was operating on successfully before or the
global root directory (β/β) of the system.
The unix token (uid, gid, list of groups) is always correctly
impersonated before each operation, so the client is still restricted
by the unix permissions enfored by the kernel.
A patch addressing this defect has been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.9.13, 4.10.8 and 4.11.0rc3 have been issued as
security releases to correct the defect. Patches against older Samba
versions may be available at https://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (8.7)
The following methods can be used as a mitigation (only one is
needed):
Use the βsharesecβ tool to configure a security descriptor for the
share thatβs at least as strict as the permissions on the share root
directory.
Use the βvalid usersβ option to allow only users/groups which are
able to enter the share root directory.
Remove βwide links = yesβ if itβs not really needed.
In some situations it might be an option to use βchmod a+xβ on the
share root directory, but you need to make sure that files and
subdirectories are protected by stricter permissions. You may also
want to βchmod a-wβ in order to prevent new top level files and
directories, which may have less restrictive permissions.
This problem was found by Stefan Metzmacher of SerNet and the Samba
Team.
Patches provided by Ralph BΓΆhme and Stefan Metzmacher of SerNet and
the Samba Team together with Jeremy Allison of Google and the Samba
Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
EPSS
Percentile
76.1%