=========================================================== == Subject: Save registry file outside share as unprivileged user == == CVE ID#: CVE-2019-3880 == == Versions: All versions of Samba since Samba 3.2.0 == == Summary: Authenticated users with write permission can trigger a symlink traversal to write files outside the Samba share. =========================================================== =========== Description =========== Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition. Note - existing share restrictions such as "read only" or share ACLs do *not* prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has unix permissions to create a file. Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created. Samba writes the file as the authenticated user, not as root. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========== Workaround ========== If the areas of the filesystem being exported by all share definitions have no symlinks pointing outside the shared areas, the attacker can only create new files inside the shared areas. Is the server is exporting SMB1 shares, and the global parameter 'unix extensions = yes' is set (the default value), then an attacker can create symbolic links that point outside the share definitions to allow registry hive files to be created wherever the symlink points to (so long as no existing file is present). Either turn off SMB1 by setting the global parameter: 'min protocol =SMB2' or if SMB1 is required turn off unix extensions by setting the global parameter: 'unix extensions = no' in the smb.conf file. ======= Credits ======= Originally reported by Michael Hanselmann. Patches provided by Jeremy Allison of the Samba Team and Google. Advisory written by Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================