The Samba-Bugzilla – Attachment 17060 Details for
Bug 14911
CVE-2021-44141 [SECURITY] UNIX extensions in SMB1 disclose whether the outside target of a symlink exists
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated CVE text .
CVE-2021-44141.txt (text/plain), 4.02 KB, created by
Jeremy Allison
on 2021-12-16 19:58:58 UTC
(
hide
)
Description:
Updated CVE text .
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2021-12-16 19:58:58 UTC
Size:
4.02 KB
patch
obsolete
>=========================================================== >== Subject: Information leak via symlinks of existance of >== files or directories outside of the exported >== share. >== >== CVE ID#: CVE-2021-44141 >== >== >== Versions: All versions of the Samba file server prior to >== 4.15.4. >== >== Summary: A client can use a symlink to discover if a named >== or directory exists on the filesystem outside of >== the exported share. The user must have permissions >== to query a symlink inside the exported share using >== SMB1 with unix extensions turned on. >=========================================================== > >=========== >Description >=========== > >All versions of Samba prior to 4.15.4 are vulnerable to a malicious >client using a server symlink to determine if a file or directory >exists in an area of the server file system not exported under the >share definition. SMB1 with unix extensions has to be enabled in order >for this attack to succeed. > >Clients that have write access to the exported part of the file system >under a share via SMB1 unix extensions or via NFS can create symlinks >that point to arbitrary files or directories on the server filesystem. > >Clients can then use SMB1 unix extension information queries to >determine if the target of the symlink exists or not by examining >error codes returned from the smbd server. There is no ability to >access these files or directories, only to determine if they exist or >not. > >If SMB1 is turned off and only SMB2 is used, or unix extensions are >not enabled then there is no way to discover if a symlink points to a >valid target or not via SMB2. For this reason, even if symlinks are >created via NFS, if the Samba server does not allow SMB1 with unix >extensions there is no way to exploit this bug. > >Finding out what files or directories exist on a file server can help >attackers guess system user names or the exact operating system >release and applications running on the server hosting Samba which may >help mount further attacks. > >SMB1 has been disabled on Samba since version 4.11.0 and >onwards. Exploitation of this bug has not been seen in the wild. > >================== >Patch Availability >================== > >Patches addressing this issue has been posted to: > > https://www.samba.org/samba/security/ > >Samba version 4.15.4 has been issued as a security release to correct >the defect. Samba administrators are advised to upgrade to this >release as soon as possible. Due to the complexity of the fixes needed >for this problem, back ports to earlier Samba versions have not been >provided. For users of earlier Samba versions, please see the >"Workaround and mitigating factors" section of this document. > >================== >CVSSv3.1 calculation >================== > >CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:N/MA:N > >base score of 4.2 > >================================= >Workaround and mitigating factors >================================= > >Do not enable SMB1 (please note SMB1 is disabled by default in Samba >from version 4.11.0 and onwards). This prevents the creation or >querying of symbolic links via SMB1. If SMB1 must be enabled for >backwards compatibility then add the parameter: > >unix extensions = no > >to the [global] section of your smb.conf and restart smbd. This >prevents SMB1 clients from creating or reading symlinks on the >exported file system. > >However, if the same region of the file system is also exported >allowing write access via NFS, NFS clients can create symlinks that >allow SMB1 with unix extensions clients to discover the existance of >the NFS created symlink targets. For non-patched versions of Samba we >recommend only exporting areas of the file system by either SMB2 or >NFS, not both. > >======= >Credits >======= > >Reported by Stefan Behrens of <sbehrens@giantdisaster.de> >Jeremy Allison of Google and the Samba Team provided the fix. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review-
Actions:
View
Attachments on
bug 14911
:
17002
|
17003
|
17007
|
17009
|
17010
|
17011
|
17012
|
17014
|
17015
|
17016
|
17017
|
17018
|
17019
|
17020
|
17021
|
17022
|
17052
|
17053
|
17056
|
17057
|
17058
|
17059
|
17060
|
17129
|
17135
|
17136