Bug 1024542 (CVE-2013-4475)

Summary: CVE-2013-4475 samba: no access check verification on stream files
Product: [Other] Security Response Reporter: Vincent Danen <vdanen>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: aavati, abokovoy, asn, gdeschner, gmollett, jkurik, jlayton, mmcallis, pfrields, rfortier, rhs-bugs, sbose, security-response-team, ssaha, ssorce, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=moderate,public=20131025,reported=20131029,source=upstream,cvss2=4.1/AV:A/AC:L/Au:S/C:P/I:P/A:N,rhel-5/samba=notaffected,rhel-6/samba=affected,rhel-7/samba=notaffected,rhes-2.1/samba=affected,rhel-5/samba3x=affected,fedora-all/samba=affected
Fixed In Version: samba 3.6.20, samba 4.0.11, samba 4.1.1 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-06 19:11:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 1024543, 1024544, 1028086, 1028087, 1028088, 1028089, 1028275    
Bug Blocks: 1016554    

Description Vincent Danen 2013-10-29 21:47:57 UTC
It was reported [1] that there are no ACL checks done on accessing stream files (as opposed to regular files) when performing generic file operations like read and write.  A stream file created on a CIFS share, with explicit deny write ACE applied, would be ignored, despite the access control.  This could allow users able to access the CIFS share on which such a restricted stream file existed, to read and write to the stream file when the expectation was that they were not authorized to do so.

A patch has been posted to the samba-technical mailing list [2] to correct this flaw.  Samba 3.6 and higher are affected by this flaw.

[1] https://bugzilla.samba.org/show_bug.cgi?id=10235
[2] https://lists.samba.org/archive/samba-technical/attachments/20131028/3f1fc04c/attachment.patch

Comment 2 Vincent Danen 2013-10-29 21:50:30 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1024544]

Comment 6 Tomas Hoger 2013-11-04 08:55:00 UTC
Public report on the upstream samba-technical list:
https://lists.samba.org/archive/samba-technical/2013-October/095725.html

Comment 12 Tomas Hoger 2013-11-11 18:55:45 UTC
This issue is now fixed in upstream Samba versions 3.6.20, 4.0.11, and 4.1.1.

External References:

http://www.samba.org/samba/security/CVE-2013-4475

Comment 13 Tomas Hoger 2013-11-11 19:01:52 UTC
Upstream commit:
http://git.samba.org/?p=samba.git;a=commitdiff;h=60f922b

Comment 14 Tomas Hoger 2013-11-11 19:03:33 UTC
Public upstream bug report:
https://bugzilla.samba.org/show_bug.cgi?id=10229

Comment 16 errata-xmlrpc 2013-12-10 00:18:47 UTC
This issue has been addressed in following products:

  Red Hat Enterprise Linux 5
  Red Hat Enterprise Linux 6

Via RHSA-2013:1806 https://rhn.redhat.com/errata/RHSA-2013-1806.html

Comment 17 errata-xmlrpc 2014-01-06 18:34:32 UTC
This issue has been addressed in following products:

  Red Hat Storage 2.1

Via RHSA-2014:0009 https://rhn.redhat.com/errata/RHSA-2014-0009.html

Comment 18 Murray McAllister 2014-07-30 05:53:49 UTC
Statement:

This issue did not affect the samba package in Red Hat Enterprise Linux 5. This issue was addressed for the samba3x package in Red Hat Enterprise Linux 5 and the samba package in Red Hat Enterprise Linux 6 via https://rhn.redhat.com/errata/RHSA-2013-1806.html, and the samba package in Red Hat Storage via https://rhn.redhat.com/errata/RHSA-2014-0009.html