Samba SecuritySAMBA:CVE-2019-3880Save registry file outside share as unprivileged user
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
60.7%
Description
Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, “winreg_SaveKey”, is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
Note - existing share restrictions such as “read only” or share ACLs
do not prevent new registry hive files being written to the
filesystem. A file may be written under any share definition wherever
the user has unix permissions to create a file.
Existing files cannot be overwritten using this vulnerability, only
new registry hive files can be created, however the presence of
existing files with a specific name can be detected.
Samba writes or detects the file as the authenticated user, not as root.
Patch Availability
Patches addressing both these issues have been posted to:
http://www.samba.org/samba/security/
Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.
CVSSv3 calculation
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (6.3)
Workaround
If the areas of the filesystem being exported by all share definitions
have no symlinks pointing outside the shared areas, the attacker can
only create new files inside the shared areas.
Is the server is exporting SMB1 shares, and the global parameter ‘unix
extensions = yes’ is set (the default value), then an attacker can
create symbolic links that point outside the share definitions to
allow registry hive files to be created wherever the symlink points to
(so long as no existing file is present).
Either turn off SMB1 by setting the global parameter:
‘min protocol = SMB2’
or if SMB1 is required turn off unix extensions by setting the global
parameter:
‘unix extensions = no’
in the smb.conf file.
Credits
Originally reported by Michael Hanselmann.
Patches provided by Jeremy Allison of the Samba Team and Google.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
LOW
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:P/A:P
0.002 Low
EPSS
Percentile
60.7%