Samba 4.9.0 Improper Limitation of a Pathname to a Restricted Directory Vulnerability

Summary

A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file. An unauthenticated attacker could use this flaw to escape the shared directory and access the contents of directories outside the share.

Credit:

The information has been provided by Stefan Metzmacher

The original article can be found at:

https://www.samba.org/samba/security/CVE-2019-10197.html

 


Details

On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file. The problem is reproducable if the ‘wide links’ option is explicitly set to ‘yes’ and either ‘unix extensions = no’ or ‘allow insecure wide links = yes’ is set in addition. If a client has no permissions to enter the share root directory it will get ACCESS_DENIED on the first request.

However smbd has a cache that remembers if it successfully changed to a directory. This cache was not being reset on failure. The following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED. That directory is either the share root directory of a different share the client was operating on successfully before or the global root directory (‘/’) of the system.

The unix token (uid, gid, list of groups) is always correctly impersonated before each operation, so the client is still restricted by the unix permissions enfored by the kernel.

The following methods can be used as a mitigation (only one is needed):

– Use the ‘sharesec’ tool to configure a security descriptor for the share that’s at least as strict as the permissions on the share root directory.

– Use the ‘valid users’ option to allow only users/groups which are able to enter the share root directory.

– Remove ‘wide links = yes’ if it’s not really needed.

– In some situations it might be an option to use ‘chmod a+x’ on the share root directory, but you need to make sure that files and subdirectories are protected by stricter permissions. You may also want to ‘chmod a-w’ in order to prevent new top level files and directories, which may have less restrictive permissions.

Vulnerable Systems:

All versions of Samba from 4.9.0 onwards.

CVE Information:

CVE-2019-10197

Disclosure Timeline:
Published Date:09/10/2019