The Samba-Bugzilla – Attachment 18070 Details for
Bug 15439
[SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3
advisory-CVE-2023-4091.txt (text/plain), 2.71 KB, created by
Ralph Böhme
on 2023-08-25 14:40:42 UTC
(
hide
)
Description:
Advisory v3
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-08-25 14:40:42 UTC
Size:
2.71 KB
patch
obsolete
> > >TODO: VERSION > > >=========================================================== >== Subject: SMB clients can truncate files with >== read-only permissions >== >== CVE ID#: CVE-2023-4091 >== >== Versions: All Samba versions >== >== Summary: SMB client can truncate files to 0 bytes >== by opening files with OVERWRITE disposition >== when using the acl_xattr Samba VFS module >== with the smb.conf setting >== "acl_xattr:ignore system acls = yes" >=========================================================== > >=========== >Description >=========== > >The SMB protocol allows opening files where the client >requests read-only access, but then implicitly truncating >the opened file if the client specifies a separate OVERWRITE >create disposition. > >This operation requires write access to the file, and in the >default Samba configuration the operating system kernel will >deny access to open a read-only file for read/write (which >the truncate operation requires). > >However, when Samba has been configured to ignore kernel >file system permissions, Samba will truncate a file when the >underlying operating system kernel would deny the operation. > >Affected Samba configurations are the ones where kernel >file-system permission checks are bypassed, relying on >Samba's own permission enforcement. The error is that this >check is done against the client request for read-only >access, and not the implicitly requested read-write (for >truncate) one. > >The widely used Samba VFS module "acl_xattr" when configured >with the module configuration parameter "acl_xattr:ignore >system acls = yes" is the only upstream Samba module that >allows this behavior and is the only known method of >reproducing this security flaw. > >If (as is the default) the module configuration parameter >"acl_xattr:ignore system acls=no", then the Samba server is >not vulnerable to this attack. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com> >from Nasuni. > >Patches provided by Ralph Böhme of SerNet and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18070">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jra
:
review+
Actions:
View
Attachments on
bug 15439
:
18018
|
18021
|
18069
|
18070
|
18129
|
18130
|
18131
|
18132
|
18146
|
18149