=========================================================== == Subject: Negative idmap cache entries can cause incorrect == group entries in the Samba file server process == token. == == CVE ID#: CVE-2021-20254 == == == Versions: All versions of the Samba file server since == Samba 3.6.0 == == Summary: A coding error converting SIDs to gids could == allow unexpected group entries in a process token. == This could allow unauthorized access to files. =========================================================== =========== Description =========== The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. Most commonly this flaw caused the calling code to crash, but an alert user (Peter Eriksson) found this flaw by noticing an unprivileged user was able to delete a file within a network share that they should have been disallowed access to. Analysis of the code paths has not allowed us to discover a way for a remote user to be able to trigger this flaw reproducibly or on demand, but this CVE has been issued out of an abundance of caution. ================== Patch Availability ================== Patches addressing this issue has been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.x.y 4.x.y and 4.x.y have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:N/MAV:N/MAC:H/MPR:L/MUI:N base score of 8.2 - high. ================================= Workaround and mitigating factors ================================= None. ======= Credits ======= Reported by Peter Eriksson. Volker Lendecke of SerNet and the Samba Team provided the fix. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================