Spotlight server-side Share Path Disclosure

Description

As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side share
path at this point, as well as returning the absolute
server-side path of results in search queries by clients.

Known server side paths could be used to mount subsequent
more serious security attacks or could disclose confidential
information that is part of the path.

To mitigate the issue, Samba will replace the real server-side
path with a fake path constructed from the sharename.

Important change in mdscli RPC library and mdsearch command

As the absolute paths starting with the sharename prefix are
not usable on the client side, the mdscli RPC library and
hence the mdsearch command will from now on report paths of
search results as relative paths relative to the root of the
SMB share.

Given a share

[spotlight]
path = /foo/bar
spotlight = yes

and a file inside this share with a full server-side path of

/foo/bar/dir/file

previously a search that matched this file would return the
absolute server-side path of the file

/foo/bar/dir/file

which is now changed to

dir/file

by this patchset.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
as security releases to correct the defect. Samba administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.

CVSSv3 calculation

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)

Workaround

As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight (“spotlight =
yes|true”).

Credits

Originally reported by Ralph Boehme and Stefan Metzmacher
of SerNet and the Samba team.

Patches provided by Ralph Boehme of SerNet and the Samba
team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team