Headline
CVE-2015-7560: Samba - Security Announcement Archive
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
CVE-2015-7560.html:
=========================================================== == Subject: Incorrect ACL get/set allowed on symlink path. == == CVE ID#: CVE-2015-7560 == == Versions: Samba 3.2.0 to 4.4.0rc3 == == Summary: Authenticated client could cause Samba to == overwrite ACLs with incorrect owner/group. == ===========================================================
=========== Description ===========
All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.
An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.
================== Patch Availability ==================
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as security releases to correct the defect. Patches against older Samba versions are available at https://www.samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.
========== Workaround ==========
Add the parameter:
unix extensions = no
to the [global] section of your smb.conf and restart smbd.
Alternatively, prohibit the use of SMB1 by setting the parameter:
server min protocol = SMB2
to the [global] section of your smb.conf and restart smbd.
======= Credits =======
This problem was found by Jeremy Allison of Google, Inc. and the Samba Team, who also provided the fix.