===========================================================
== Subject:     SMB clients can truncate files with
==              read-only permissions
==
== CVE ID#:     CVE-2023-4091
==
== Versions:    All Samba versions
==
== Summary:     SMB client can truncate files to 0 bytes
==              by opening files with OVERWRITE disposition
==              when using the acl_xattr Samba VFS module
==              with the smb.conf setting
==              "acl_xattr:ignore system acls = yes"
===========================================================

===========
Description
===========

The SMB protocol allows opening files where the client
requests read-only access, but then implicitly truncating
the opened file if the client specifies a separate OVERWRITE
create disposition.

This operation requires write access to the file, and in the
default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which
the truncate operation requires).

However, when Samba has been configured to ignore kernel
file system permissions, Samba will truncate a file when the
underlying operating system kernel would deny the operation.

Affected Samba configurations are the ones where kernel
file-system permission checks are bypassed, relying on
Samba's own permission enforcement.  The error is that this
check is done against the client request for read-only
access, and not the implicitly requested read-write (for
truncate) one.

The widely used Samba VFS module "acl_xattr" when configured
with the module configuration parameter "acl_xattr:ignore
system acls = yes" is the only upstream Samba module that
allows this behavior and is the only known method of
reproducing this security flaw.

If (as is the default) the module configuration parameter
"acl_xattr:ignore system acls=no", then the Samba server is
not vulnerable to this attack.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these
releases or apply the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com>
from Nasuni.

Patches provided by Ralph Böhme of SerNet and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================