Year-Old Samba flaw allows escaping from the share path definition

Experts discovered a year-old flaw in Samba software that could be exploited to bypass file-sharing permissions and access forbidden root shares paths.

Security researchers discovered a year-old vulnerability in Samba software that could be exploited, under certain conditions, to bypass file-sharing permissions and access forbidden root shares paths.

“On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file.” reads the security advisory.

The flaw in Samba was introduced with the release of Samba 4.9.0 on September 13, 2018. In order to exploit the flaw it is necessary that the ‘wide links’ option in the Samba configuration file is turned on the target system. Other conditions that must be matched is to either allow insecure wide links or have the ‘unix extension‘ parameter set to ‘no.’

The vulnerability, tracked as CVE-2019-10197, stems from the failure to reset the cache that keeps track of successful directory changes.

“The problem is reproducable if the ‘wide links’ option is explicitly set to ‘yes’ and either ‘unix extensions = no’ or ‘allow insecure wide links = yes’ is set in addition. If a client has no permissions to enter the share root directory it will get ACCESS_DENIED on the first request.” continues the security advisory. “However smbd has a cache that remembers if it successfully changed to a directory. This cache was not being reset on failure. The following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED. That directory is either the share root directory of a different share the client was operating on successfully before or the global root directory (‘/’) of the system.”

In case of a failure in changing to a directory, it should reset the cache on failure recording the denied request. If this does not happen, the following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED.

The experts pointed out that the issue could allow access to the root directory of a different share the client accessed before or even the global root directory of the system.

The advisory highlights that the vulnerability does not affect the Unix permission checks in the kernel.

“The unix token (uid, gid, list of groups) is always correctly impersonated before each operation, so the client is still restricted by the unix permissions enfored by the kernel.” continues the advisory.

The CVE-2019-10197 has been found by Stefan Metzmacher and the Samba Team, it has received a CVSS v3 score of 8.7.

In order to address the CVE-2019-10197 vulnerability, admins have to install security patches released by Samba for version lower than 4.9.13 and 4.10.8. The latest stable releases also address the issue along with the Samba 4.11.0 RC3.

Samba also provided the following mitigations in case it is not possible to apply the patches:

  • Use the ‘sharesec‘ tool to configure a security descriptor for the share that’s at least as strict as the permissions on the share root directory.
  • Use the ‘valid users’ option to allow only users/groups which are   able to enter the share root directory.
  • Remove ‘wide links = yes’ if it’s not really needed.
  • In some situations it might be an option to use ‘chmod a+x’ on the   share root directory, but you need to make sure that files and   subdirectories are protected by stricter permissions. You may also want to ‘chmod a-w’ in order to prevent new top level files and directories, which may have less restrictive permissions

The post Year-Old Samba flaw allows escaping from the share path definition appeared first on Security Affairs.