Headline
CVE-2023-34968: Samba - Security Announcement Archive
A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
CVE-2023-34968.html:
=========================================================== == Subject: Spotlight server-side Share Path Disclosure == == CVE ID#: CVE-2023-34968 == == Versions: All versions of Samba prior to 4.18.5, 4.17.10 and 4.16.11. == == Summary: As part of the Spotlight protocol Samba == discloses the server-side absolute path of == shares and files and directories in search == results. ===========================================================
=========== Description ===========
As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients.
Known server side paths could be used to mount subsequent more serious security attacks or could disclose confidential information that is part of the path.
To mitigate the issue, Samba will replace the real server-side path with a fake path constructed from the sharename.
Important change in mdscli RPC library and mdsearch command
As the absolute paths starting with the sharename prefix are not usable on the client side, the mdscli RPC library and hence the mdsearch command will from now on report paths of search results as relative paths relative to the root of the SMB share.
Given a share
[spotlight] path = /foo/bar spotlight = yes
and a file inside this share with a full server-side path of
/foo/bar/dir/file
previously a search that matched this file would return the absolute server-side path of the file
/foo/bar/dir/file
which is now changed to
dir/file
by this patchset.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)
========== Workaround ==========
As a possible workaround disable Spotlight by removing all configuration stanzas that enable Spotlight (“spotlight = yes|true”).
======= Credits =======
Originally reported by Ralph Boehme and Stefan Metzmacher of SerNet and the Samba team.
Patches provided by Ralph Boehme of SerNet and the Samba team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202402-28 - Multiple vulnerabilities have been discovered in Samba, the worst of which can lead to remote code execution. Versions greater than or equal to 4.18.9 are affected.
Red Hat Security Advisory 2023-7139-01 - An update for samba, evolution-mapi, and openchangeis now available for Red Hat Enterprise Linux 8. Issues addressed include out of bounds read and path disclosure vulnerabilities.
Debian Linux Security Advisory 5477-1 - Several vulnerabilities have been discovered in Samba, which could result in information disclosure, denial of service or insufficient enforcement of security-relevant config directives.