15439 – (CVE-2023-4091) [SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions

Bug 15439 (CVE-2023-4091) - [SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions

Summary: [SECURITY] CVE-2023-4091: Client can truncate file with read-only permissions

Status:	RESOLVED FIXED

Alias:	CVE-2023-4091

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Ralph Böhme
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15483
	Show dependency tree / graph

Reported:	2023-08-01 13:42 UTC by Ralph Böhme
Modified:	2023-10-20 09:16 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
Possible patch for master (8.36 KB, patch) 2023-08-01 13:43 UTC, Ralph Böhme	jra: review+ slow: ci-passed+	Details
Advisory v1 (2.29 KB, text/plain) 2023-08-03 09:39 UTC, Ralph Böhme	jra: review-	Details
Advisory v2 (2.66 KB, text/plain) 2023-08-25 14:37 UTC, Ralph Böhme	no flags	Details
Advisory v3 (2.71 KB, text/plain) 2023-08-25 14:40 UTC, Ralph Böhme	jra: review+	Details
Patch for master (5.16 KB, patch) 2023-09-28 17:26 UTC, Ralph Böhme	metze: review- slow: ci-passed+	Details
Patch for 4.19 (7.57 KB, patch) 2023-09-28 17:26 UTC, Ralph Böhme	jra: review+ metze: review+ slow: ci-passed+	Details
Patch for 4.18 (7.57 KB, patch) 2023-09-28 17:27 UTC, Ralph Böhme	jra: review+ metze: review+ slow: ci-passed+	Details
Patch for 4.17 (7.57 KB, patch) 2023-09-28 17:28 UTC, Ralph Böhme	jra: review+ slow: ci-passed+	Details
Advisory v4 with correct version numbers (2.72 KB, text/plain) 2023-09-29 08:38 UTC, Ralph Böhme	jra: review+	Details
Patch for master (7.57 KB, patch) 2023-10-02 09:05 UTC, Ralph Böhme	slow: review? (metze) jra: review+	Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ralph Böhme 2023-08-01 13:42:10 UTC

Opening a file with read-only filesystem permission with FILE_OVERWRITE[_IF] disposition, inccorrectly truncates the file due to a missing check for read-only access.

Have patch, need bugnumber.

Comment 1 Ralph Böhme 2023-08-01 13:43:22 UTC

Created attachment 18018 [details]
Possible patch for master

Comment 2 Ralph Böhme 2023-08-01 14:09:49 UTC

I guess this warrants a CVE...

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)

Comment 3 Ralph Böhme 2023-08-01 14:22:50 UTC

Oh, forgot, the only affected systems will be the ones where the effective SD != filesystem SD, eg when using vfs_acl_xattr with acl_xattr:ignore system acls = yes.

"Normally", the filesystem and kernel will enforce the read-only from the filesystem as when we map FILE_OVERWRITE[_IF] to O_TRUNC we also change the access mode to O_RDWR which will be failed by the kernel/filesystem.

Comment 4 Jeremy Allison 2023-08-01 15:50:31 UTC

(In reply to Ralph Böhme from comment #3)

That makes it much less dangerous, correct ? Still a CVE but maybe not a 6.5 ?

Comment 5 Ralph Böhme 2023-08-01 16:50:14 UTC

Well, I know at least two OEMs that ship this config, so I guess for them it's quite bad. CVE wise, I guess this might change Attack Complexity (AC) from low to high:

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N (5.3)

Comment 6 Ralph Böhme 2023-08-01 16:52:41 UTC

I'm not really sure how to apply Attack Complexity (AC), maybe it's till "low":

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Comment 7 Andrew Bartlett 2023-08-01 19:50:11 UTC

https://www.first.org/cvss/user-guide has this in the guidance in the changes for 3.1, which we use:

2.3.3. Assume Vulnerable Configurations

...If a specific configuration is required for an attack to succeed, the vulnerable component should be scored assuming it is in that configuration, providing it is a reasonable configuration....

I would say that acl_xattr:ignore system acls = yes, given is is widely deployed, is a reasonable (even if less safe) configuration.  

Attack complexity is not how to capture the administrators choice of configuration in any case, it is for the difference between 'just works' and 'difficult timing attack' or 'requires network interception'.

Comment 8 Ralph Böhme 2023-08-02 06:36:40 UTC

(In reply to Andrew Bartlett from comment #7)
Oh, thanks a lot Andrew, that is very helpful! :)

So it's a 6.5:

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

Comment 9 Ralph Böhme 2023-08-03 09:39:23 UTC

Created attachment 18021 [details]
Advisory v1

Comment 10 Jeremy Allison 2023-08-03 16:41:25 UTC

Comment on attachment 18021 [details]
Advisory v1

This section:

"When opening the system file handle, Samba internally opens
the file in read/write mode as that is required by POSIX
when passing O_TRUNC. Therefor most default Samba configurations
are not affected by this security vulnerability."

is confusing (i.e. I don't understand it).

Can you explicitly say what the file permissions on the disk are, and why opening for O_RDWR makes it not a problem when "acl_xattr:ignore system acls = yes" please ?

Comment 11 Ralph Böhme 2023-08-04 16:24:51 UTC

Ok, what about this:

===========
Description
===========

SMB allows opening files for read-only and truncating the
opened files by specifying an OVERWRITE create
disposition. This operation requires write access to the
file, but Samba incorrectly checks the requested read-only
permission on the files ACL, instead of the required
read/write permission.

When accessing a file in Samba, there are two place where
permissions are evaluated and enforced:

1. The kernel enforces permissions for the system open() call

2. Samba's own permission checks based on reading the file's
ACL via Samba's VFS and checking the requested access againt
this ACL.

It's up to the configured VFS modules where the ACL is read
from and written to, in the default case, filesystem
POSIX-draft ACLs are converted to NT ACLs, the format used
internally in Samba. Samba supports a variety of VFS modules
to support filesystem with their own ACL implementations,
like GPFS and ZFS, and it has a module "acl_xattr" where the
ACL is stored in an filesystem extended attribute as well as
in filesystem POSIX-draft ACLs, using a best effort
translation of NT ACLs to POSIX-draft ACLs.

This translation sacrifices NT ACL compatibility in certain
corner cases, but the module supports an optional mode that
can be enabled by setting "acl_xattr:ignore system acls =
yes". In this mode directories and files, when created, will
be assigned 0777 and 0666 permissions respectively. This
effectively bypasses permissions checks by the kernel,
making Samba's own user-space permission checks the only
place where permissions are enforced.

Now, when processing a client request to open a file
read-only with OVERWRITE disposition, Samba opens the file
via the VFS with SMB_VFS_OPENAT() in read/write mode as that
is required by POSIX when using O_TRUNC. Therefor most
default Samba configurations are not affected by this
security vulnerability as the effective filesystem
permissions are enforced by the kernel and filesystem
driver. If the file only allows read-only access for the
user, the open for read/write access will fail with EACCES.

Affected Samba configurations are the ones where somehow
kernel file-system permission checks are bypassed, relying
on Samba's own permission enforcement, because this check is
done against the client request read-only access, and not
the implicit read-write one.

The widely used Samba VFS module "acl_xattr" when configured
with the module configuration parameter "acl_xattr:ignore
system acls = yes" is the only upstream Samba module that
allows this behavior and is the only known attack vector.

Comment 12 Jeremy Allison 2023-08-04 21:39:45 UTC

(In reply to Ralph Böhme from comment #11)

Probably a bit *too* verbose (sorry :-), Goldilocks and the 3 bears and all that :-). How about:

------------------------------------------------------
The SMB protocol allows opening files where the client requests
read-only access, but then implicitly truncating the opened file
if the client specifies a separate OVERWRITE create disposition.

This operation requires write access to the file, and in the
default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which the
truncate operation requires).

However, when Samba has been configured to ignore kernel file
system permissions, Samba will truncate a file when the underlying
operating system kernel would deny the operation.

Affected Samba configurations are the ones where kernel file-system
permission checks are bypassed, relying on Samba's own permission enforcement.
The error is that this check is done against the client request for read-only
access, and not the implicitly requested read-write (for truncate) one.

The widely used Samba VFS module "acl_xattr" when configured
with the module configuration parameter "acl_xattr:ignore
system acls = yes" is the only upstream Samba module that
allows this behavior and is the only known method of reproducing
this security flaw.

If (as is the default) the module configuration parameter
"acl_xattr:ignore system acls=no", then the Samba server is not
vulnerable to this attack.
------------------------------------------------------

Comment 13 Sri 2023-08-10 14:57:58 UTC

Hello Ralph/Jeremy,

A couple of questions about this fix:

What is the plan for this security patch being announced publicly?
Are there plans to make a patch available for 4.17?

Thanks,
Sri

Comment 14 Andrew Bartlett 2023-08-10 20:35:21 UTC

(In reply to Sri from comment #13)
Samba 4.17 is still under security support so an official security release (and patch) will be made.

Comment 15 Ralph Böhme 2023-08-25 14:37:51 UTC

Created attachment 18069 [details]
Advisory v2

Thanks, much better. I knew you could help me trim my version! :)

Comment 16 Ralph Böhme 2023-08-25 14:40:42 UTC

Created attachment 18070 [details]
Advisory v3

Creditting original reporter, otherwise unchanged...

Comment 17 Ralph Böhme 2023-09-28 17:26:00 UTC

Created attachment 18129 [details]
Patch for master

Unchanged patch, added CVE number and my signed-off-by.

Comment 18 Ralph Böhme 2023-09-28 17:26:49 UTC

Created attachment 18130 [details]
Patch for 4.19

Comment 19 Ralph Böhme 2023-09-28 17:27:50 UTC

Created attachment 18131 [details]
Patch for 4.18

Comment 20 Ralph Böhme 2023-09-28 17:28:25 UTC

Created attachment 18132 [details]
Patch for 4.17

Comment 21 Ralph Böhme 2023-09-29 08:38:18 UTC

Created attachment 18146 [details]
Advisory v4 with correct version numbers

Comment 22 Jule Anger 2023-10-02 07:20:39 UTC

Opening security bugs to vendors. Release date is currently proposed to be October 10.

Comment 23 Stefan Metzmacher 2023-10-02 08:03:42 UTC

Comment on attachment 18129 [details]
Patch for master

You most likely used the wrong commit hash for git format-patch --stdout -2

Comment 24 Ralph Böhme 2023-10-02 09:05:14 UTC

Created attachment 18149 [details]
Patch for master

metze, Thanks for spotting this!

Comment 27 Jule Anger 2023-10-10 14:40:05 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 28 Samba QA Contact 2023-10-10 14:45:59 UTC

This bug was referenced in samba v4-17-stable:

45051934ffa479b25193f409a0c0fe7740f2415d
347d55084b76f53f752e9aae9e84a9f775cbec9d

Comment 29 Samba QA Contact 2023-10-10 14:47:23 UTC

This bug was referenced in samba v4-18-stable:

ae5c0e1914a92a4cc73f37ff18a266b7d39d5b42
53c9e1c9d3b660837d4517cfe0f3da2f0744660b

Comment 30 Samba QA Contact 2023-10-10 14:48:17 UTC

This bug was referenced in samba v4-19-stable:

2ff6cbcd3accaf7953de9fe0a05d0c2176af6b3c
6b6495c7125540f5bacc27ef76440340cf0fd58e

Comment 31 Samba QA Contact 2023-10-10 15:01:37 UTC

This bug was referenced in samba v4-17-stable:

b08a60160e6ab8d982d31844bcbf7ab67ff3a8de
8b26f634372f11edcbea33dfd68a3d57889dfcc5

Comment 32 Samba QA Contact 2023-10-10 15:07:28 UTC

This bug was referenced in samba v4-19-stable:

2761477b76c2eafd0c851dfdff998e730e433c4c
9cd1ad18af07098588163c0b5b69408e4002a7aa

Comment 33 Samba QA Contact 2023-10-10 15:08:36 UTC

This bug was referenced in samba v4-18-stable:

bfe8e10bf3b5dafecd0b19ef8ea163327f73a531
3c432b144690353b7c86daf38612a2e19eb82084

Comment 34 Samba QA Contact 2023-10-10 15:18:14 UTC

This bug was referenced in samba v4-17-test:

45051934ffa479b25193f409a0c0fe7740f2415d
347d55084b76f53f752e9aae9e84a9f775cbec9d
b08a60160e6ab8d982d31844bcbf7ab67ff3a8de
8b26f634372f11edcbea33dfd68a3d57889dfcc5

Comment 35 Samba QA Contact 2023-10-10 15:28:45 UTC

This bug was referenced in samba v4-18-test:

ae5c0e1914a92a4cc73f37ff18a266b7d39d5b42
53c9e1c9d3b660837d4517cfe0f3da2f0744660b
bfe8e10bf3b5dafecd0b19ef8ea163327f73a531
3c432b144690353b7c86daf38612a2e19eb82084

Comment 36 Samba QA Contact 2023-10-10 15:48:28 UTC

This bug was referenced in samba master:

b1fd65694185c26f1e196d84ee8756300e631bd5
b70f4f8681ca1b0818d42f600fd8bbdd74c29346

Comment 37 Samba QA Contact 2023-10-10 15:59:44 UTC

This bug was referenced in samba v4-19-test:

2ff6cbcd3accaf7953de9fe0a05d0c2176af6b3c
6b6495c7125540f5bacc27ef76440340cf0fd58e
2761477b76c2eafd0c851dfdff998e730e433c4c
9cd1ad18af07098588163c0b5b69408e4002a7aa

Comment 38 Samba QA Contact 2023-10-11 12:53:03 UTC

This bug was referenced in samba master:

94462dfabf0c14586c00a8161f125b2bd4d18ee1

Comment 39 Jule Anger 2023-10-20 09:16:08 UTC

Pushed to all branches.
Closing out bug report.
Thanks!