Bug 15707 (CVE-2025-0620) - [SECURITY] CVE-2025-0620: smbd doesn't pick up group membership changes when re-authenticating an expired SMB session
Summary: [SECURITY] CVE-2025-0620: smbd doesn't pick up group membership changes when ...
Status: RESOLVED FIXED
Alias: CVE-2025-0620
Product: Samba 4.1 and newer
Classification: Unclassified
Component: File services (show other bugs)
Version: 4.21.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-09-03 14:16 UTC by Anoop C S
Modified: 2025-06-12 09:31 UTC (History)
7 users (show)

See Also:

Attachments
wip-fix.diff (549 bytes, text/plain)
2024-09-03 14:20 UTC, Anoop C S 		no flags Details
testparm_s (575 bytes, text/plain)
2024-09-03 14:21 UTC, Anoop C S 		no flags Details
Advisory (draft) (1.18 KB, text/plain)
2025-01-09 10:38 UTC, Anoop C S 		no flags Details
Advisory CVE-2025-0620 v1 (2.02 KB, text/plain)
2025-03-14 11:04 UTC, Ralph Böhme 		no flags Details
Advisory CVE-2025-0620 v2 (2.03 KB, text/plain)
2025-03-14 15:09 UTC, Ralph Böhme 		anoopcs: review+
metze: review+
Details
Patch for 4.21 (912 bytes, patch)
2025-05-23 13:46 UTC, Ralph Böhme 		anoopcs: review+
metze: review+
Details
Patch for 4.22 (912 bytes, patch)
2025-05-23 13:46 UTC, Ralph Böhme 		anoopcs: review+
metze: review+
Details
Patch for master (912 bytes, patch)
2025-05-23 13:47 UTC, Ralph Böhme 		anoopcs: review+
metze: review+
Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Anoop C S 2024-09-03 14:16:33 UTC 
In a configuration where acl_xattr vfs module is used on top of a standard local(ext4) filesystem, smb2.session.reauth4 which used to fail earlier(expected) is now successfully completed.

[local-share]
	comment = For samba share of local EXT4
	path = /mnt/ext4
	read only = No
	vfs objects = acl_xattr
	acl_xattr:security_acl_name = user.NTACL

See attachment for the `testparm -s` output.

Expected behaviour:
# smbtorture \\\\192.168.122.11\\local-share -U root%smb --target=samba3 smb2.session.reauth4
smbtorture 4.22.0pre1-GIT-5e278a52646
Using seed 1724928319
time: 2024-08-29 10:45:19.471919
test: reauth4
time: 2024-08-29 10:45:19.472824
time: 2024-08-29 10:45:19.526290
failure: reauth4 [
../../source4/torture/smb2/session.c:603: status was NT_STATUS_ACCESS_DENIED, expected NT_STATUS_OK: smb2_setinfo_file failed
]


Additional notes:
I did a `git bisect` to only find the commit which introduced the regression as below:

# git bisect good
630f1228d17c282a3661de050801b3aaf642accf is the first bad commit
commit 630f1228d17c282a3661de050801b3aaf642accf
Author: Ralph Boehme <slow@samba.org>
Date:   Tue Jan 23 15:19:12 2024 +0100

    smbd: move target code out of loop body
    
    Reduces indentation of the code code that is run in this function and prepares
    for adding more of it.
    
    Review with: git show -w
    
    Signed-off-by: Ralph Boehme <slow@samba.org>
    Reviewed-by: Stefan Metzmacher <metze@samba.org>

 source3/smbd/conn.c | 64 ++++++++++++++++++++++++++++++++++------------------------------
 1 file changed, 34 insertions(+), 30 deletions(-)
Comment 1 Anoop C S 2024-09-03 14:20:22 UTC 
Created attachment 18431 [details]
wip-fix.diff

After an offline discussion, Ralph came up with a possible fix as attached.
Comment 2 Anoop C S 2024-09-03 14:21:03 UTC 
Created attachment 18432 [details]
testparm_s
Comment 3 Stefan Metzmacher 2024-09-03 15:40:14 UTC 
Comment on attachment 18431 [details]
wip-fix.diff

This look good, sorry for not catching this.

At least for SMB2/3 I think the impact is basically, similar to
an NTLMSSP session that doesn't expire after 10 hours (the ticket liftime).
But for systems with disabled ntlmssp (e.g. maybe for protected users)
it might be a problem if a user was removed from a group...
Comment 4 Anoop C S 2024-09-09 10:25:38 UTC 
(In reply to Stefan Metzmacher from comment #3)
If so in what direction are we planning to take this forward? Should we ask for a CVE number? Or merge the suggested fix as it is?
Comment 5 Anoop C S 2024-09-11 06:52:30 UTC 
Please note that the "bad commit" as per git bisect is already part of v4.21 branch.
Comment 6 Ralph Böhme 2024-10-31 15:29:39 UTC 
(In reply to Stefan Metzmacher from comment #3)
I tried to calculate the CVE score and got this:

https://www.first.org/cvss/calculator/4.0#CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/S:N/AU:N/R:I/V:C/RE:L

CVSS v4.0 Score: 7

I find it hard though to imagine how this could be used by an attacker in a real world scenario.
Comment 7 Douglas Bagnall 2024-11-01 00:57:31 UTC 
(In reply to Ralph Böhme from comment #6)
On the AD side, our threshold for fixes without embargo/CVE has been hovering around CVSS 5.

But real-world exploitability does come into it of course.
Comment 8 Anoop C S 2025-01-03 07:06:11 UTC 
Do we have a consensus on categorizing this bug report as CVE?
Comment 9 Ralph Böhme 2025-01-08 16:03:14 UTC 
I've discussed this with Stefan and our proposal would be to request and assing a CVE, but not do a security release.

@Anoop: can you drive the process as outlined in doc/releases/security_releases.txt in the team repo?

We'll need a CVE, an advisory, a patch and backports.
Comment 10 Anoop C S 2025-01-09 08:30:35 UTC 
(In reply to Ralph Böhme from comment #9)
Ok, I'll go through it and start with the steps.
Comment 11 Anoop C S 2025-01-09 10:38:59 UTC 
Created attachment 18526 [details]
Advisory (draft)
Comment 12 Ralph Böhme 2025-03-14 11:04:41 UTC 
Created attachment 18606 [details]
Advisory CVE-2025-0620 v1

Updated advisory.
Comment 13 Ralph Böhme 2025-03-14 15:09:20 UTC 
Created attachment 18607 [details]
Advisory CVE-2025-0620 v2
Comment 14 Douglas Bagnall 2025-03-26 01:02:45 UTC 
So we're thinking this will come out as a normal Samba 4.21.x or 4.22.x on the release schedule, and turn up in master about the same time, then in the other affected release a few weeks later when that release is due?
Comment 15 Anoop C S 2025-05-12 10:41:26 UTC 
(In reply to Douglas Bagnall from comment #14)
Yes, that's what I expect to be the release flow here (even though we don't do a special full fledged release).

Ralph,
Can you please format the diff attached as a patch to get it merged?
Comment 16 Ralph Böhme 2025-05-23 13:46:03 UTC 
Created attachment 18644 [details]
Patch for 4.21
Comment 17 Ralph Böhme 2025-05-23 13:46:43 UTC 
Created attachment 18645 [details]
Patch for 4.22
Comment 18 Ralph Böhme 2025-05-23 13:47:14 UTC 
Created attachment 18646 [details]
Patch for master
Comment 19 Jule Anger 2025-06-02 12:51:32 UTC 
Pushed to master and autobuild-v4-{22,21}-test.
Missing tags added.
Comment 20 Samba QA Contact 2025-06-02 15:11:03 UTC 
This bug was referenced in samba master:

6f0ae60428a024b4aba92a8103a698c1eca2357c
Comment 21 Samba QA Contact 2025-06-02 17:08:03 UTC 
This bug was referenced in samba v4-21-test:

bb4d8d322c2c7bda2cb245e60c423920ec5fa167
Comment 22 Samba QA Contact 2025-06-03 06:49:52 UTC 
This bug was referenced in samba v4-21-stable (Release samba-4.21.6):

bb4d8d322c2c7bda2cb245e60c423920ec5fa167
Comment 23 Jule Anger 2025-06-03 07:10:09 UTC 
Open bug after the 4.21 release.
Comment 24 Samba QA Contact 2025-06-05 11:56:03 UTC 
This bug was referenced in samba v4-22-test:

baea767285800bc96e2e965741ac4dc4377c9f32
Comment 25 Samba QA Contact 2025-06-05 15:41:21 UTC 
This bug was referenced in samba v4-22-stable (Release samba-4.22.2):

baea767285800bc96e2e965741ac4dc4377c9f32
Comment 26 Jule Anger 2025-06-12 09:31:11 UTC 
Closing out bug report.

Thanks!