===========================================================
== Subject:     Save registry file outside share as unprivileged user
==
== CVE ID#:     CVE-2019-3880
==
== Versions:    All versions of Samba since Samba 3.2.0
==
== Summary:     Authenticated users with write permission
                can trigger a symlink traversal to write
		files outside the Samba share.
===========================================================

===========
Description
===========

Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, "winreg_SaveKey", is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
save a registry hive file anywhere they have write access, even
outside a Samba share.

Samba writes the file as the authenticated user, not as root.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as
security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

==========
Workaround
==========

A read only share (via filesystem permissions) containing no symbolic
links will mitigate the attack.  For a write-enabled share containing
no symbolic links, setting the global parameter 'unix extensions = no'
or 'min protocol = SMB2' in the smb.conf will mitigate the attack.

=======
Credits
=======

Originally reported by Michael Hanselmann.

Patches provided by Jeremy Allison of the Samba Team and Google.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================