CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
EPSS
Percentile
46.4%
The SMB protocol allows opening files where the client
requests read-only access, but then implicitly truncating
the opened file if the client specifies a separate OVERWRITE
create disposition.
This operation requires write access to the file, and in the
default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which
the truncate operation requires).
However, when Samba has been configured to ignore kernel
file system permissions, Samba will truncate a file when the
underlying operating system kernel would deny the operation.
Affected Samba configurations are the ones where kernel
file-system permission checks are bypassed, relying on
Sambaβs own permission enforcement. The error is that this
check is done against the client request for read-only
access, and not the implicitly requested read-write (for
truncate) one.
The widely used Samba VFS module βacl_xattrβ when configured
with the module configuration parameter βacl_xattr:ignore
system acls = yesβ is the only upstream Samba module that
allows this behavior and is the only known method of
reproducing this security flaw.
If (as is the default) the module configuration parameter
βacl_xattr:ignore system acls=noβ, then the Samba server is
not vulnerable to this attack.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these
releases or apply the patch as soon as possible.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
None.
Originally reported by Sri Nagasubramanian <[email protected]>
from Nasuni.
Patches provided by Ralph BΓΆhme of SerNet and the Samba team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team