Attachment 16815 Details for Bug 13979 – CVE advisory.

CVE advisory.

CVE-2019-10151.txt (text/plain), 3.35 KB, created by Jeremy Allison on 2021-09-24 18:51:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Jeremy Allison

Created: 2021-09-24 18:51:43 UTC

Size: 3.35 KB

patch

obsolete

>===========================================================
>== Subject:     Symlink race error can allow directory creation
>==              outside of the exported share.
>==
>== CVE ID#:     CVE-2019-10151
>==
>==
>== Versions:    All versions of the Samba file server prior to
>==              4.13.13
>==
>== Summary:     A malicious client can use a symlink race to
>==              create a directory in a part of the server file
>==              system not exported under the share definition.
>==              The user must have permissions to create the
>==              directory in the target directory.
>===========================================================
>
>===========
>Description
>===========
>
>All versions of Samba prior to 4.13.13 are vulnerable to a malicious
>client using an SMB1 or NFS symlink race to allow a directory to be
>created in an area of the server file system not exported under the
>share definition. Note that SMB1 has to be enabled, or the share
>also available via NFS in order for this attack to succeed.
>
>Clients that have write access to the exported part of the file system
>under a share via SMB1 unix extensions or NFS can create symlinks that
>can race the server by renaming an existing path and then replacing it
>with a symlink. If the client wins the race it can cause the server to
>create a directory under the new symlink target after the exported
>share path check has been done. This new symlink target can point to
>anywhere on the server file system. The authenticated user must have
>permissions to create a directory under the target directory of the
>symlink.
>
>This is a difficult race to win, but theoretically possible. Note that
>the proof of concept code supplied wins the race only when the server
>is slowed down and put under heavy load. Exploitation of this bug has
>not been seen in the wild.
>
>==================
>Patch Availability
>==================
>
>Patches addressing this issue has been posted to:
>
>    https://www.samba.org/samba/security/
>
>Samba 4.13.13 has been issued as a security releases to correct the
>defect. Samba administrators are advised to upgrade to this release as
>soon as possible.
>
>==================
>CVSSv3.1 calculation
>==================
>
>CVSS:2.2/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N
>
>base score of 2.6.
>
>=================================
>Workaround and mitigating factors
>=================================
>
>Do not enable SMB1 (please note SMB1 is disabled by default in Samba
>from version 4.11.0 and onwards). This prevents the creation of
>symbolic links via SMB1. If SMB1 must be enabled for backwards
>compatibility then add the parameter:
>
>unix extensions = no
>
>to the [global] section of your smb.conf and restart smbd. This
>prevents SMB1 clients from creating symlinks on the exported file
>system.
>
>However, if the same region of the file system is also exported using
>NFS, NFS clients can create symlinks that potentially can also hit the
>race condition. For non-patched versions of Samba we recommend only
>exporting areas of the file system by either SMB2 or NFS, not both.
>
>=======
>Credits
>=======
>
>Reported by Michael Hanselmann of Google.
>Jeremy Allison of Google and the Samba Team provided the fix.
>
>==========================================================
>== Our Code, Our Bugs, Our Responsibility.
>== The Samba Team
>==========================================================

Flags:

slow: review+
jmcd: review+

Actions: View

Attachments on bug 13979: 15205 | 15212 | 15213 | 15214 | 15215 | 15217 | 16812 | 16815 | 16987 | 16988 | 17072