From Pavel Kohout at Aisle Security: We believe we have identified a flaw in the vfs_worm module that allows overwriting or deleting WORM-protected files via SMB rename with ReplaceIfExists=1, bypassing the intended immutability guarantee after the grace period. The rename hook only checks the source path; it never validates the destination’s WORM status. A younger file can be renamed over an older, immutable file, effectively deleting/replacing it. Impact: Integrity breach of WORM-protected data on shares using the worm VFS module with elapsed grace periods. Default installs not using vfs objects = worm are unaffected. CVSS v3.1 (est.): 5.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N). Network reachable, low complexity, low privs needed (rename rights), integrity impact high; confidentiality and availability unaffected.
Created attachment 18842 [details] Patch suggested by Pavel
Created attachment 18843 [details] patch v2 from Pavel Kohout
Created attachment 18844 [details] patch from Pavel Kohout (v3)
I had a go with the CVSS 3.1 calculator and came up with CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 6.5 This is exactly the same string ("AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N") that Aisle report, but they give it a 5.3. 5.3 is what you'd get by setting the "attack complexity" to high, which doesn't seem right to me. I would be more inclined to adjust the integrity impact to low (giving 4.3), given the underlying access controls are unaffected.
Hi Douglas. Great, looks good to me.
Created attachment 18855 [details] patch v4, with a test I added a test. The fix is not changed.
Created attachment 18858 [details] advisory v1
Created attachment 18860 [details] patch for 4.24
Created attachment 18861 [details] patch for 4.23
Created attachment 18862 [details] patch for 4.22
I think this is ready for release.
What about 4.21? Patch is probably 100% the same though.
Created attachment 18864 [details] patch for 4.21 Patch for 4.21 will work for 4.20, but not before that (in 4.19 vfs_worm was known to be broken).
Advisory names 4.23.6, which is now out; should be 4.23.7.
the security release that was scheduled for tomorrow, will be postponed due to new problems that have been identified with one of the fixes. We will announce a new release date as soon as possible after the remaining issues have been ruled out.
Scheduled release date is now 2026-05-26.
I plan to upload the releases in about 3 hours from now...
This bug was referenced in samba v4-24-stable (Release samba-4.24.3): 4737e7362bf5dbdf4e6969cc958b3142eb5dc2c7 1271956aa97b0d5d7694c7bc80bf1628877beae3
This bug was referenced in samba v4-23-stable (Release samba-4.23.8): 2531119024986bbc18f92d27c47b2d5c8a3b77ce 7962e74737f43749fd3c49ad9eb048dfd0b6d778
This bug was referenced in samba v4-22-stable (Release samba-4.22.10): 97f86ccf7d26ea3600739e9de16eb68be64162c3 76d10f4480d981ddef237e447ea48beef430da84
This bug was referenced in samba v4-24-test (Release samba-4.24.3): 4737e7362bf5dbdf4e6969cc958b3142eb5dc2c7 1271956aa97b0d5d7694c7bc80bf1628877beae3
This bug was referenced in samba v4-23-test (Release samba-4.23.8): 2531119024986bbc18f92d27c47b2d5c8a3b77ce 7962e74737f43749fd3c49ad9eb048dfd0b6d778
This bug was referenced in samba v4-22-test (Release samba-4.22.10): 97f86ccf7d26ea3600739e9de16eb68be64162c3 76d10f4480d981ddef237e447ea48beef430da84
This bug was referenced in samba master: 39535250fa55eeae9e7bad9c9a2a93d592ad4f79 44b199a35222e1b11d6ee987c4e8046a894484ca