SMB clients can truncate files with

Description

The SMB protocol allows opening files where the client
requests read-only access, but then implicitly truncating
the opened file if the client specifies a separate OVERWRITE
create disposition.

This operation requires write access to the file, and in the
default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which
the truncate operation requires).

However, when Samba has been configured to ignore kernel
file system permissions, Samba will truncate a file when the
underlying operating system kernel would deny the operation.

Affected Samba configurations are the ones where kernel
file-system permission checks are bypassed, relying on
Samba’s own permission enforcement. The error is that this
check is done against the client request for read-only
access, and not the implicitly requested read-write (for
truncate) one.

The widely used Samba VFS module “acl_xattr” when configured
with the module configuration parameter “acl_xattr:ignore
system acls = yes” is the only upstream Samba module that
allows this behavior and is the only known method of
reproducing this security flaw.

If (as is the default) the module configuration parameter
“acl_xattr:ignore system acls=no”, then the Samba server is
not vulnerable to this attack.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these
releases or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)

Workaround

None.

Credits

Originally reported by Sri Nagasubramanian <[email protected]>
from Nasuni.

Patches provided by Ralph Böhme of SerNet and the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team