The Samba-Bugzilla – Attachment 18062 Details for
Bug 15422
CVE-2023-3961 [SECURITY] Unsanitized client pipe name passed to local_np_connect()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
First (rough) draft of an advisory.
CVE-2023-3961.txt (text/plain), 2.63 KB, created by
Jeremy Allison
on 2023-08-16 16:12:35 UTC
(
hide
)
Description:
First (rough) draft of an advisory.
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2023-08-16 16:12:35 UTC
Size:
2.63 KB
patch
obsolete
>============================================================ >== Subject: smbd allows client access to unix domain sockets >== on the file system. >== >== CVE ID#: CVE-2023-3961 >== >== Versions: All versions starting with 4.16.0 >== >== Summary: Unsanitized pipe names allow SMB clients to connect >== as root to existing unix domain sockets on the >== file system. >============================================================ > >=========== >Description >=========== > >The SMB 1/2/3 protocols allow clients to connect to named >pipes via the IPC$ (Inter-Process Communication) share >for the process of inter-process communication between >SMB clients and servers. > >Since Samba 4.16.0, Samba internally connects client pipe names >to unix domain sockets within a private directory, allowing clients >to connect to services listening on those sockets. This is >usually used to connect SMB clients to remote proceedure >call (RPC) services, such as SAMR LSA, or SPOOLSS, which Samba >starts on demand. > >However, insufficient sanitization was done on the incoming >client pipe name, meaning that a client sending a pipe name >containing unix directory traversal characters (../) >could cause Samba to connect to unix domain sockets >outside of the private directory meant to restrict the >services a client could connect to. Samba connects >to the unix domain sockets as root, meaning if a client >could send a pipe name that resolved to an external >service using an existing unix domain socket, the client would >be able to connect to it without filesystem permissions >restricting access. > >Depending on the service the client can connect to, >the client may be able to trigger adverse events such >as denial of service, crashing the service, or potentially >compromising it. > >There are no current known exploits for this bug. > >================== >Patch Availability >================== > >Patches addressing this issue have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally discovered by Jeremy Allison of the Samba team >and CIQ. Inc. > >Patches provided by Jeremy Allison of the Samba team and >CIQ. Inc. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18062">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15422
:
18001
|
18003
|
18050
| 18062 |
18099
|
18100
|
18101
|
18102
|
18124
|
18128
|
18151