=========================================================== == Subject: World writable files in Samba AD DC private/ dir == == CVE ID#: CVE-2019-3870 == == Versions: Samba 4.9 and later == == Summary: During the provision of a new Active Directory DC, some files in the private/ directory are created world-writable. =========================================================== =========== Description =========== During the creation of a new Samba AD DC, files are created in a the private/ subdirectory of our install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory files are created with mode 0666, that is world-writable, including a sample krb5.conf and the list of DNS names and servicePrincipalName values to update. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.9.6 and 4.10.2 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H This score is calculated based on modification to the dns_update_list or spn_update_list files in a default configuration. Administrators who rely on these files in other ways might have a higher score. For example, the sample krb5.conf might be read as input to Kerberos tools or used as the system-wide krb5.conf (potentially via a symlink). =============================== Required steps (and workaround) =============================== Upgrading Samba will not change the file or directory permissions for an existing installation, it will just avoid the issue for new installations. Assuming Samba is installed in the default location as root run: chmod 0700 /usr/local/samba/private The private directory can be found in the listing from smbd -b| grep PRIVATE_DIR Alternatively remove world-write permission from any files with: chmod o-w /usr/local/samba/private/* ======= Credits ======= Originally reported by Björn Baumbach of the Samba Team and SerNet. Patches provided by Andrew Bartlett of the Samba Team and Catalyst, advisory written by Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================