smbd allows client access to unix domain sockets

Description

The SMB 1/2/3 protocols allow clients to connect to named
pipes via the IPC$ (Inter-Process Communication) share
for the process of inter-process communication between
SMB clients and servers.

Since Samba 4.16.0, Samba internally connects client pipe names
to unix domain sockets within a private directory, allowing clients
to connect to services listening on those sockets. This is
usually used to connect SMB clients to remote proceedure
call (RPC) services, such as SAMR LSA, or SPOOLSS, which Samba
starts on demand.

However, insufficient sanitization was done on the incoming
client pipe name, meaning that a client sending a pipe name
containing unix directory traversal characters (…/)
could cause Samba to connect to unix domain sockets
outside of the private directory meant to restrict the
services a client could connect to. Samba connects
to the unix domain sockets as root, meaning if a client
could send a pipe name that resolved to an external
service using an existing unix domain socket, the client would
be able to connect to it without filesystem permissions
restricting access.

Depending on the service the client can connect to,
the client may be able to trigger adverse events such
as denial of service, crashing the service, or potentially
compromising it.

There are no current known exploits for this bug.

Patch Availability

Patches addressing this issue have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8)

Workaround

None.

Credits

Originally discovered by Jeremy Allison of the Samba team
and CIQ. Inc.

Patches provided by Jeremy Allison of the Samba team and
CIQ. Inc.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team