CERTVU:670568Samba creates temporary files insecurely
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.3%
Overview
Samba handles temporary files insecurely, allowing arbitrary files to be overwritten and left in a state that would permit later modification.
Description
Samba is an implementation of the Server Message Block (SMB) protocol. Some versions of samba handle temporary files in an insecure manner that may allow local users to cause arbitrary files and devices to be overwritten. Due to easily predictable printer queue cache file names, local users may create symbolic links to any file or device causing it to be corrupted when a remote user accesses a printer. In addition, the file will be left with world-writable permissions, allowing any user to enter their own data.
Impact
By modifying arbitrary files, an attacker may gain elevated priveleges. By corrupting files or devices, an attacker may cause denial of service.
Solution
Apply vendor patches; see the Systems Affected section below.
Deinstall the Samba package.
Vendor Information
670568
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Caldera __ Affected
Notified: April 19, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
<http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
Conectiva __ Affected
Notified: April 23, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
<http://www.linuxsecurity.com/advisories/other_advisory-1307.html>
<http://www.linuxsecurity.com/advisories/other_advisory-1362.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The second link above documents the connectiva version that corrects this vulnerability.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
Debian __ Affected
Notified: April 23, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
<http://www.linuxsecurity.com/advisories/debian_advisory-1302.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
FreeBSD __ Affected
Notified: April 23, 2001 Updated: August 21, 2001
Status
Affected
Vendor Statement
<ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:36.samba.asc>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
MandrakeSoft __ Affected
Notified: April 23, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
<http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
Progency Linux Systems __ Affected
Notified: April 19, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
<http://www.linuxsecurity.com/advisories/other_advisory-1305.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
RedHat __ Affected
Notified: April 05, 2001 Updated: August 21, 2001
Status
Affected
Vendor Statement
<http://www.redhat.com/support/errata/RHSA-2001-086.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
Samba Team __ Affected
Notified: May 11, 2001 Updated: August 01, 2001
Status
Affected
Vendor Statement
The recent Samba 2.0.8 security fix release did NOT fix the security hole in Samba 2.0.7. I have now released Samba 2.0.9 to fix this.
Many thanks to Marc Jacobsen from HP for pointing out the error, and apologies from the Samba Team for any inconvenience.
Note that the 2.2.0 release did fix the bug, so if you have installed that release then you can ignore this message.
The 2.0.9 release is available at
<ftp://ftp.samba.org/pub/samba/samba-2.0.9.tar.gz>
the patch is available at:
<ftp://ftp.samba.org/pub/samba/patches/samba-2.0.8-2.0.9.diffs.gz>
The 2.2.0 release is available at:
<ftp://ftp.samba.org/pub/samba/samba-2.2.0.tar.gz>
We do not plan on doing any more releases of Samba 2.0.x.
Distribution vendors have been notified about the error and will be doing new releases shortly.
- - - - - - - - - -
The bug was introduced into the CVS tree on June 27th 1997. That means all versions from (and including) 1.9.17alpha4 are vulnerable. Amazingly, the bug went undetected through several security audits by various companies over the last 4 years.
The impact of the bug varies a little between versions. In the 2.0.7 release the exploit is only easy (and perhaps only possible, but I won’t guarantee it) if you are exporting printer shares. In either case, we consider it a serious enough risk that all sites should upgrade as soon as possible, especially if you have untrusted users with shell accounts.
Note that the bug is not a race condition. Given the right conditions the exploit will be successful first time every time. (ie. it is not a classic mktemp race)
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
Trustix __ Affected
Notified: April 18, 2001 Updated: September 17, 2001
Status
Affected
Vendor Statement
<http://www.linuxsecurity.com/advisories/other_advisory-1298.html>
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23670568 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.securityfocus.com/bid/2617>
- <ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:36.samba.asc>
- <http://www.linuxsecurity.com/advisories/freebsd_advisory-1314.html>
- <http://www.redhat.com/support/errata/RHSA-2001-086.html>
- <http://www.linuxsecurity.com/advisories/redhat_advisory-1369.html>
- <http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html>
- <http://www.linuxsecurity.com/advisories/other_advisory-1307.html>
- <http://www.linuxsecurity.com/advisories/other_advisory-1362.html>
- <http://www.linuxsecurity.com/advisories/debian_advisory-1302.html>
- <http://www.linuxsecurity.com/advisories/other_advisory-1305.html>
- <http://www.linuxsecurity.com/advisories/other_advisory-1298.html>
- <http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt>
Acknowledgements
This vulnerability was first reported by Marcus Meissner of Caldera.
This document was last modified by Tim Shimeall.
Other Information
| CVE IDs: | CVE-2001-0406 |
|---|---|
| Severity Metric: | 13.36 Date Public: |
References
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:36.samba.asc
www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt
www.linuxsecurity.com/advisories/debian_advisory-1302.html
www.linuxsecurity.com/advisories/freebsd_advisory-1314.html
www.linuxsecurity.com/advisories/mandrake_advisory-1319.html
www.linuxsecurity.com/advisories/other_advisory-1298.html
www.linuxsecurity.com/advisories/other_advisory-1305.html
www.linuxsecurity.com/advisories/other_advisory-1307.html
www.linuxsecurity.com/advisories/other_advisory-1362.html
www.linuxsecurity.com/advisories/redhat_advisory-1369.html
www.redhat.com/support/errata/RHSA-2001-086.html
www.securityfocus.com/bid/2617
Related
2.1 Low
CVSS2
Access Vector
LOCAL
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:L/AC:L/Au:N/C:N/I:P/A:N
0.0004 Low
EPSS
Percentile
5.3%