Headline
CVE-2023-4091: Samba - Security Announcement Archive
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module “acl_xattr” is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba’s permissions.
CVE-2023-4091.html:
=========================================================== == Subject: SMB clients can truncate files with == read-only permissions == == CVE ID#: CVE-2023-4091 == == Versions: All Samba versions == == Summary: SMB client can truncate files to 0 bytes == by opening files with OVERWRITE disposition == when using the acl_xattr Samba VFS module == with the smb.conf setting == “acl_xattr:ignore system acls = yes” ===========================================================
=========== Description ===========
The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition.
This operation requires write access to the file, and in the default Samba configuration the operating system kernel will deny access to open a read-only file for read/write (which the truncate operation requires).
However, when Samba has been configured to ignore kernel file system permissions, Samba will truncate a file when the underlying operating system kernel would deny the operation.
Affected Samba configurations are the ones where kernel file-system permission checks are bypassed, relying on Samba’s own permission enforcement. The error is that this check is done against the client request for read-only access, and not the implicitly requested read-write (for truncate) one.
The widely used Samba VFS module “acl_xattr” when configured with the module configuration parameter “acl_xattr:ignore system acls = yes” is the only upstream Samba module that allows this behavior and is the only known method of reproducing this security flaw.
If (as is the default) the module configuration parameter "acl_xattr:ignore system acls=no", then the Samba server is not vulnerable to this attack.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)
========== Workaround ==========
None.
======= Credits =======
Originally reported by Sri Nagasubramanian [email protected] from Nasuni.
Patches provided by Ralph Böhme of SerNet and the Samba team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202402-28 - Multiple vulnerabilities have been discovered in Samba, the worst of which can lead to remote code execution. Versions greater than or equal to 4.18.9 are affected.
Red Hat Security Advisory 2023-6209-01 - An update for samba is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.
Ubuntu Security Notice 6425-3 - USN-6425-1 fixed vulnerabilities in Samba. This update provides the corresponding updates for Ubuntu 23.10. Sri Nagasubramanian discovered that the Samba acl_xattr VFS module incorrectly handled read-only files. When Samba is configured to ignore system ACLs, a remote attacker could possibly use this issue to truncate read-only files. Andrew Bartlett discovered that Samba incorrectly handled the DirSync control. A remote attacker with an RODC DC account could possibly use this issue to obtain all domain secrets. Andrew Bartlett discovered that Samba incorrectly handled the rpcecho development server. A remote attacker could possibly use this issue to cause Samba to stop responding, resulting in a denial of service. Kirin van der Veer discovered that Samba incorrectly handled certain RPC service listeners. A remote attacker could possibly use this issue to cause Samba to start multiple incompatible RPC listeners, resulting in a denial of service. This iss...
Debian Linux Security Advisory 5525-1 - Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix, which might result in denial of service, information disclosure or privilege escalation.
Ubuntu Security Notice 6425-2 - USN-6425-1 fixed vulnerabilities in Samba. Due to a build issue on Ubuntu 20.04 LTS, the update introduced regressions in macro handling and possibly other functionality. This update fixes the problem. Sri Nagasubramanian discovered that the Samba acl_xattr VFS module incorrectly handled read-only files. When Samba is configured to ignore system ACLs, a remote attacker could possibly use this issue to truncate read-only files. Andrew Bartlett discovered that Samba incorrectly handled the DirSync control. A remote attacker with an RODC DC account could possibly use this issue to obtain all domain secrets. Andrew Bartlett discovered that Samba incorrectly handled the rpcecho development server. A remote attacker could possibly use this issue to cause Samba to stop responding, resulting in a denial of service. Kirin van der Veer discovered that Samba incorrectly handled certain RPC service listeners. A remote attacker could possibly use this issue to cause ...