TODO: VERSION =========================================================== == Subject: SMB clients can truncate files with == read-only permissions == == CVE ID#: CVE-2023-4091 == == Versions: All Samba versions == == Summary: SMB client can truncate files to 0 bytes == by opening files with OVERWRITE disposition == when using the acl_xattr Samba VFS module == with the smb.conf setting == "acl_xattr:ignore system acls = yes" =========================================================== =========== Description =========== SMB allows opening files for read-only and truncating the opened files by specifying an OVERWRITE create disposition. This operation requires write access to the file, but Samba incorrectly checks the requested read-only permission on the files ACL, instead of the required read/write permission. When opening the system file handle, Samba internally opens the file in read/write mode as that is required by POSIX when passing O_TRUNC. Therefor most default Samba configurations are not affected by this security vulnerability. Affected Samba configurations are ones where somehow kernel file-system permission checks are bypassed, relying on Samba's own permission enforcement. The widely used Samba VFS module "acl_xattr" when configured with the module configuration parameter "acl_xattr:ignore system acls = yes" is the only upstream Samba module that allows this behavior and is affected by this vulnerability. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) ========== Workaround ========== None. ======= Credits ======= Originally reported by $REPORTER. Patches provided by Ralph Böhme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================