Wide links protection broken

Description

Samba 4.17 introduced following symlinks in user space with the intent
to properly check symlink targets to stay within the share that was
configured by the administrator. The check does not properly cover a
corner case, so that a user can create a symbolic link that will make
smbd escape the configured share path.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks can
use the vulnerability to get access to all of the server’s file
system.

Patch Availability

Patches addressing this issue has been posted to:

https://www.samba.org/samba/security/

Samba 4.17.2 has been issued as a security releases to correct the
defect. Samba administrators are advised to upgrade to this release as
soon as possible.

CVSSv3.1 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

Workaround and mitigating factors

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team