TODO: VERSION =========================================================== == Subject: SMB clients can truncate files with == read-only permissions == == CVE ID#: CVE-2023-4091 == == Versions: All Samba versions == == Summary: SMB client can truncate files to 0 bytes == by opening files with OVERWRITE disposition == when using the acl_xattr Samba VFS module == with the smb.conf setting == "acl_xattr:ignore system acls = yes" =========================================================== =========== Description =========== The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation requires write access to the file, and in the default Samba configuration the operating system kernel will deny access to open a read-only file for read/write (which the truncate operation requires). However, when Samba has been configured to ignore kernel file system permissions, Samba will truncate a file when the underlying operating system kernel would deny the operation. Affected Samba configurations are the ones where kernel file-system permission checks are bypassed, relying on Samba's own permission enforcement. The error is that this check is done against the client request for read-only access, and not the implicitly requested read-write (for truncate) one. The widely used Samba VFS module "acl_xattr" when configured with the module configuration parameter "acl_xattr:ignore system acls = yes" is the only upstream Samba module that allows this behavior and is the only known method of reproducing this security flaw. If (as is the default) the module configuration parameter "acl_xattr:ignore system acls=no", then the Samba server is not vulnerable to this attack. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) ========== Workaround ========== None. ======= Credits ======= Originally reported by Sri Nagasubramanian from Nasuni. Patches provided by Ralph Böhme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================