The Samba-Bugzilla – Attachment 16815 Details for
Bug 13979
CVE-2021-43566 [SECURITY] mkdir race condition allows share escape in Samba 4.x
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE advisory.
CVE-2019-10151.txt (text/plain), 3.35 KB, created by
Jeremy Allison
on 2021-09-24 18:51:43 UTC
(
hide
)
Description:
CVE advisory.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-09-24 18:51:43 UTC
Size:
3.35 KB
patch
obsolete
>=========================================================== >== Subject: Symlink race error can allow directory creation >== outside of the exported share. >== >== CVE ID#: CVE-2019-10151 >== >== >== Versions: All versions of the Samba file server prior to >== 4.13.13 >== >== Summary: A malicious client can use a symlink race to >== create a directory in a part of the server file >== system not exported under the share definition. >== The user must have permissions to create the >== directory in the target directory. >=========================================================== > >=========== >Description >=========== > >All versions of Samba prior to 4.13.13 are vulnerable to a malicious >client using an SMB1 or NFS symlink race to allow a directory to be >created in an area of the server file system not exported under the >share definition. Note that SMB1 has to be enabled, or the share >also available via NFS in order for this attack to succeed. > >Clients that have write access to the exported part of the file system >under a share via SMB1 unix extensions or NFS can create symlinks that >can race the server by renaming an existing path and then replacing it >with a symlink. If the client wins the race it can cause the server to >create a directory under the new symlink target after the exported >share path check has been done. This new symlink target can point to >anywhere on the server file system. The authenticated user must have >permissions to create a directory under the target directory of the >symlink. > >This is a difficult race to win, but theoretically possible. Note that >the proof of concept code supplied wins the race only when the server >is slowed down and put under heavy load. Exploitation of this bug has >not been seen in the wild. > >================== >Patch Availability >================== > >Patches addressing this issue has been posted to: > > https://www.samba.org/samba/security/ > >Samba 4.13.13 has been issued as a security releases to correct the >defect. Samba administrators are advised to upgrade to this release as >soon as possible. > >================== >CVSSv3.1 calculation >================== > >CVSS:2.2/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N > >base score of 2.6. > >================================= >Workaround and mitigating factors >================================= > >Do not enable SMB1 (please note SMB1 is disabled by default in Samba >from version 4.11.0 and onwards). This prevents the creation of >symbolic links via SMB1. If SMB1 must be enabled for backwards >compatibility then add the parameter: > >unix extensions = no > >to the [global] section of your smb.conf and restart smbd. This >prevents SMB1 clients from creating symlinks on the exported file >system. > >However, if the same region of the file system is also exported using >NFS, NFS clients can create symlinks that potentially can also hit the >race condition. For non-patched versions of Samba we recommend only >exporting areas of the file system by either SMB2 or NFS, not both. > >======= >Credits >======= > >Reported by Michael Hanselmann of Google. >Jeremy Allison of Google and the Samba Team provided the fix. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
jmcd
:
review+
Actions:
View
Attachments on
bug 13979
:
15205
|
15212
|
15213
|
15214
|
15215
|
15217
|
16812
|
16815
|
16987
|
16988
|
17072