CVE-2020-14318

2020-10-2911:29:24

redhat.com

access.redhat.com

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4 Medium

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

0.001 Low

EPSS

Percentile

39.5%

JSON

A flaw was found in the way Samba handled file and directory permissions. This flaw allows an authenticated user to gain access to certain file and directory information, which otherwise would be unavailable. The highest threat from this vulnerability is to confidentiality.

Mitigation

As Samba internally opens an underlying file system handle on a directory when a client requests an open, even for FILE_READ_ATTRIBUTES then if the underlying file system permissions don't allow "r" (read) access for the connected user, then the handle open request will be denied.

"r" access is the normal permission needed to list or otherwise reveal the contents of a directory, so if a connected user has "r" access then they will be able to list the directory contents normally, and the information received by a ChangeNofity request is already available to the user.

The security issue occurs if the Administrator or directory owner had set more restrictive Windows ACL permissions on the directory to disallow read access to the user, and this permissions change was not reflected in the underlying file system permissions.

This will only occur if Samba is configured with VFS modules to decouple the underlying file system permissions from the Windows ACLs, by setting up a share with the settings:

[vulnerable_share]
vfs_objects = vfs_acl_xattr
acl_xattr:ignore system acls = yes