The Samba-Bugzilla – Attachment 15030 Details for
Bug 13851
CVE-2019-3880 [SECURITY] Save registry file outside share as unprivileged user in Samba 4.x
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory with CVE (v5)
CVE-2019-3880-advisory-05.txt (text/plain), 3.01 KB, created by
Andrew Bartlett
on 2019-04-01 01:12:19 UTC
(
hide
)
Description:
advisory with CVE (v5)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-04-01 01:12:19 UTC
Size:
3.01 KB
patch
obsolete
>=========================================================== >== Subject: Save registry file outside share as unprivileged user >== >== CVE ID#: CVE-2019-3880 >== >== Versions: All versions of Samba since Samba 3.2.0 >== >== Summary: Authenticated users with write permission > can trigger a symlink traversal to write > or detect files outside the Samba share. >=========================================================== > >=========== >Description >=========== > >Samba contains an RPC endpoint emulating the Windows registry service >API. One of the requests, "winreg_SaveKey", is susceptible to a >path/symlink traversal vulnerability. Unprivileged users can use it to >create a new registry hive file anywhere they have unix permissions to >create a new file within a Samba share. If they are able to create >symlinks on a Samba share, they can create a new registry hive file >anywhere they have write access, even outside a Samba share >definition. > >Note - existing share restrictions such as "read only" or share ACLs >do *not* prevent new registry hive files being written to the >filesystem. A file may be written under any share definition wherever >the user has unix permissions to create a file. > >Existing files cannot be overwritten using this vulnerability, only >new registry hive files can be created, however the presence of >existing files with a specific name can be detected. > >Samba writes or detects the file as the authenticated user, not as root. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as >security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon as >possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (6.3) > >========== >Workaround >========== > >If the areas of the filesystem being exported by all share definitions >have no symlinks pointing outside the shared areas, the attacker can >only create new files inside the shared areas. > >Is the server is exporting SMB1 shares, and the global parameter 'unix >extensions = yes' is set (the default value), then an attacker can >create symbolic links that point outside the share definitions to >allow registry hive files to be created wherever the symlink points to >(so long as no existing file is present). > >Either turn off SMB1 by setting the global parameter: > >'min protocol = SMB2' > >or if SMB1 is required turn off unix extensions by setting the global >parameter: > >'unix extensions = no' > >in the smb.conf file. > >======= >Credits >======= > >Originally reported by Michael Hanselmann. > >Patches provided by Jeremy Allison of the Samba Team and Google. >Advisory written by Andrew Bartlett of the Samba Team and Catalyst. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
garming
:
review+
Actions:
View
Attachments on
bug 13851
:
14974
|
14975
|
14996
|
14997
|
14998
|
14999
|
15000
|
15001
|
15010
|
15011
|
15012
|
15028
| 15030