Bug 2009676 (CVE-2021-43566)

Summary: CVE-2021-43566 samba: Symlink race error can allow directory creation outside of the exported share
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, hvyas, iboukris, jarrpa, jstephen, lmohanty, madam, pfilipen, puebele, rhs-smb, sbose, security-response-team, ssorce, thoger
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.13.16 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-12 02:46:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2039157, 2044255, 2046218    
Bug Blocks: 2009675    

Description Huzaifa S. Sidhpurwala 2021-10-01 09:22:08 UTC 
As per upstream report:

All versions of Samba prior to 4.13.13 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to create a directory under the new symlink target after the exported share path check has been done. This new symlink target can point to anywhere on the server file system. The authenticated user must have permissions to create a directory under the target directory of the symlink.
Comment 4 Tomas Hoger 2022-04-22 20:26:06 UTC 
Upstream advisory:
https://www.samba.org/samba/security/CVE-2021-43566.html

Upstream patch:
https://download.samba.org/pub/samba/patches/security/samba-4.13.16-security-2022-01-10.patch
Comment 11 Andreas Schneider 2022-05-05 17:15:09 UTC 
Samba 4.14 is not affected, as parts of the VFS code have already been rewritten in Samba 4.14. The VFS rewrite was completed in Samba 4.15. This is why CVE-2021-43566 only affects Samba versions < 4.13.16.

Details:
https://www.samba.org/samba/security/CVE-2021-43566.html
Comment 13 Product Security DevOps Team 2022-05-12 02:46:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-43566