Security Bulletin: A vulnerability in Samba affects IBM Spectrum Scale SMB protocol access method (CVE-2017-2619)

Summary

A Samba vulnerability affects IBM Spectrum Scale SMB protocol access method which could allow a remote authenticated attacker to launch a symlink attack, caused by a race condition. An attacker could exploit this vulnerability using SMB1 unix extensions or NFS to create a symbolic link from a temporary file to various files on the system, which could allow the attacker to view non-exported files.

Vulnerability Details

CVEID: CVE-2017-2619 DESCRIPTION: Samba could allow a remote authenticated attacker to launch a symlink attack, caused by a race condition A local attacker could exploit this vulnerability using SMB1 unix extensions to create a symbolic link from a temporary file to various files on the system, which could allow the attacker to view non-exported files.
CVSS Base Score: 4.3
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/123775 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

Affected Products and Versions

IBM Spectrum Scale V4.2.0.0 thru V4.2.3

IBM Spectrum Scale V4.1.1.0 thru V4.1.1.14

Remediation/Fixes

For IBM Spectrum Scale V4.2.0.0 thru V4.2.3, apply V4.2.3.1 available from FixCentral at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%20defined%20storage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.2.3&platform=All&function=all

For IBM Spectrum Scale V4.1.1.0 thru V4.1.1.14, apply V4.1.1.15 available from FixCentral at
https://www-945.ibm.com/support/fixcentral/swg/selectFixes?parent=Software%2Bdefined%2Bstorage&product=ibm/StorageSoftware/IBM+Spectrum+Scale&release=4.1.1&platform=All&function=all

Workarounds and Mitigations

None