The Samba-Bugzilla – Attachment 16816 Details for
Bug 14842
CVE-2021-20316 [SECURITY] Fileserver symlink metadata share escape.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Proposed CVE text.
CVE-2021-20316.txt (text/plain), 4.19 KB, created by
Jeremy Allison
on 2021-09-24 21:27:15 UTC
(
hide
)
Description:
Proposed CVE text.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-09-24 21:27:15 UTC
Size:
4.19 KB
patch
obsolete
>=========================================================== >== Subject: Symlink race error can allow metadata read >== and modify outside of the exported share. >== >== CVE ID#: CVE-2021-20316 >== >== >== Versions: All versions of the Samba file server prior to >== 4.15.0 >== >== Summary: A malicious client can use a symlink race to >== access or modify file or directory metadata >== information outside of the exported share. >== The user must have permissions to read or write >== the metadata on the accessed file or directory. >=========================================================== > >=========== >Description >=========== > >All versions of Samba prior to 4.15.0 are vulnerable to a malicious >client using an SMB1 or NFS symlink race to allow filesystem metadata >to be accessed in an area of the server file system not exported under >the share definition. Note that SMB1 has to be enabled, or the share >also available via NFS in order for this attack to succeed. > >Clients that have write access to the exported part of the file system >under a share via SMB1 unix extensions or NFS can create symlinks that >can race the server by renaming an existing path and then replacing it >with a symlink. If the client wins the race it can cause the server to >read or modify file or directory metadata on the symlink target. > >The authenticated user must have permissions to modify the metadata of >the target of the symlink. > >Filesystem metadata includes such attributes as timestamps, extended >attributes and permissions and ownership. > >This is a difficult race to win, but theoretically possible. Note that >the proof of concept code supplied wins the race only when the server >is slowed down and put under heavy load. Exploitation of this bug has >not been seen in the wild. > >================== >Patch Availability >================== > >Prior to Samba 4.15.0 patches for this are not possible, due to the >prior design of the Samba VFS layer which used pathname-based calls >for most meta-data operations. > >A two and a half year effort was undertaken to completely re-write the >Samba VFS layer to stop use of pathname-based calls in all cases >involving reading and writing of metadata returned to the client. >This work has finally been completed in Samba 4.15.0. > >Pathname-based VFS calls are still used as an initial optimization to >determine if a client requested path exists, but when data is returned >to the client or written onto the underlying filesystem then the >target component is first opened as a file handle, going through >rigourous checking to ensure it is contained within the share >path. All meta-data is then refreshed from or written to the open >handle, not via pathname-based VFS calls. > >As all operations are now done on an open handle we believe that any >further symlink race conditions have been completely eliminated in >Samba 4.15.0 and all future versions of Samba. > >================== >CVSSv3.1 calculation >================== > >CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N > >base score of 5.9. > >================================= >Workaround and mitigating factors >================================= > >Do not enable SMB1 (please note SMB1 is disabled by default in Samba >from version 4.11.0 and onwards). This prevents the creation of >symbolic links via SMB1. If SMB1 must be enabled for backwards >compatibility then add the parameter: > >unix extensions = no > >to the [global] section of your smb.conf and restart smbd. This >prevents SMB1 clients from creating symlinks on the exported file >system. > >However, if the same region of the file system is also exported using >NFS, NFS clients can create symlinks that potentially can also hit the >race condition. For non-patched versions of Samba we recommend only >exporting areas of the file system by either SMB2 or NFS, not both. > >======= >Credits >======= > >Reported by Michael Hanselmann of Google. > >The fix was a multi-year effort by Ralph Boehme of Sernet, >Jeremy Allison of Google and Noel Power of SuSE. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16816">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14842
:
16816
|
16817