6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
69.1%
Samba client code (libsmbclient) returns server-supplied filenames to
calling code without checking for pathname separators (such as “/” or
“…/”) in the server returned names.
A malicious server can craft a pathname containing separators and
return this to client code, causing the client to use this access local
pathnames for reading or writing instead of SMB network pathnames.
This access is done using the local privileges of the client.
This attack can be achieved using any of SMB1/2/3 as it is not reliant
on any specific SMB protocol version.
Specifically, samba client tools like smbget and smbclient’s mget use
the server supplied ‘final’ name component as a local name when
obtaining multiple files. While the design of these tools is that
server can always choose the file names, this vulnerability is that it
allows a remote server to create local files outside the current
working directory.
Users of the libsmbclient library external to Samba may also be
vulnerable if they use server returned filenames without adequate
checking and pass them to functions that do local filesystem access.
Note that the Gnome GVFS client library is not believed to be
vulnerable, as it always passes server-returned pathnames back to the
SMB share they were returned from. Such malformed pathnames are then
rejected by the server.
Patches addressing both these issues have been posted to:
http://www.samba.org/samba/security/
Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.
CVSSv3: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N (5.3)
None.
Originally reported by Michael Hanselmann.
Patches provided by Jeremy Allison of the Samba Team and Google.
Advisory by Jeremy Allison of the Samba Team and Google and Andrew
Bartlett of the Samba Team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
69.1%