Lucene search

K
sambaSamba SecuritySAMBA:CVE-2021-44141
HistoryJan 31, 2022 - 12:00 a.m.

Information leak via symlinks of existance of

2022-01-3100:00:00
Samba Security
www.samba.org
87

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N

Description

All versions of Samba prior to 4.15.5 are vulnerable to a malicious
client using a server symlink to determine if a file or directory
exists in an area of the server file system not exported under the
share definition. SMB1 with unix extensions has to be enabled in order
for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or via NFS can create symlinks
that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to
determine if the target of the symlink exists or not by examining
error codes returned from the smbd server. There is no ability to
access these files or directories, only to determine if they exist or
not.

If SMB1 is turned off and only SMB2 is used, or unix extensions are
not enabled then there is no way to discover if a symlink points to a
valid target or not via SMB2. For this reason, even if symlinks are
created via NFS, if the Samba server does not allow SMB1 with unix
extensions there is no way to exploit this bug.

Finding out what files or directories exist on a file server can help
attackers guess system user names or the exact operating system
release and applications running on the server hosting Samba which may
help mount further attacks.

SMB1 has been disabled on Samba since version 4.11.0 and
onwards. Exploitation of this bug has not been seen in the wild.

Patch Availability

Patches addressing this issue has been posted to:

https://www.samba.org/samba/security/

Samba version 4.15.5 has been issued as a security release to correct
the defect. Samba administrators are advised to upgrade to this
release as soon as possible. Due to the complexity of the fixes needed
for this problem, back ports to earlier Samba versions have not been
provided. For users of earlier Samba versions, please see the
“Workaround and mitigating factors” section of this document.

CVSSv3.1 calculation

CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:N/MA:N

base score of 4.2

Workaround and mitigating factors

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation or
querying of symbolic links via SMB1. If SMB1 must be enabled for
backwards compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating or reading symlinks on the
exported file system.

However, if the same region of the file system is also exported
allowing write access via NFS, NFS clients can create symlinks that
allow SMB1 with unix extensions clients to discover the existance of
the NFS created symlink targets. For non-patched versions of Samba we
recommend only exporting areas of the file system by either SMB2 or
NFS, not both.

Credits

Reported by Stefan Behrens of <[email protected]>
Jeremy Allison of Google and the Samba Team provided the fix.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

3.5 Low

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:M/Au:S/C:P/I:N/A:N