5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
61.6%
The smbd daemon in Samba 3.0.31 - 3.3.5 contains an
uninitialized read of a data value that can potentially
affect access control. If a user is trying to modify
an access control list (ACL) and is denied permission,
this deny may be overridden if the parameter “dos filemode”
is set to “yes” in the smb.conf and the user already has write
access to the file. The error occurs in checking that the
user has write access. Uninitialized memory is read instead
of the values in the ‘stat’ struct of the file.
An attack would be difficult to script by an attacker,
as the attacker would need to find a reproducible case
to ensure previously used stack memory had the correct
values to trigger the bug. In addition, the server would
have to have been configured with “dos filemode = yes”
in the smb.conf.
A patch addressing this defect has been posted to
http://www.samba.org/samba/security/
Additionally, Samba 3.2.13 and 3.0.35 and 3.3.6 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
Set the parameter:
dos filemode = no
in the [global] section of your smb.conf. This is
already the default setting.
This issue was found by Jeremy Allison <[email protected]> as part of
normal code auditing activities in Samba.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team