Bug 2046120 (CVE-2021-44141)

Summary: CVE-2021-44141 samba: Information leak via symlinks of existance of files or directories outside of the exported share
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, hvyas, iboukris, jarrpa, jstephen, lmohanty, madam, pfilipen, rhs-smb, sbose, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.13.17, samba 4.14.12, samba 4.15.4 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Samba due to an insecure link following. By querying a symlink inside the exported share using SMB1 with unix extensions turned on, an attacker can discover if a named or directory exists on the filesystem outside the exported share. This flaw allows a remote authenticated attacker to obtain sensitive information.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-05-12 03:15:15 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2046127, 2046129, 2046262, 2048566    
Bug Blocks: 2046121    

Description Huzaifa S. Sidhpurwala 2022-01-26 09:57:29 UTC 
As per samba upstream advisory:

All versions of Samba prior to 4.15.4 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.

Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or via NFS can create symlinks that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to determine if the target of the symlink exists or not by examining error codes returned from the smbd server. There is no ability to access these files or directories, only to determine if they exist or not.
Comment 4 Huzaifa S. Sidhpurwala 2022-01-31 14:19:44 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2048566]
Comment 5 Tomas Hoger 2022-05-06 09:18:22 UTC 
Upstream advisory:
https://www.samba.org/samba/security/CVE-2021-44141.html
Comment 6 errata-xmlrpc 2022-05-10 04:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2022:1756 https://access.redhat.com/errata/RHSA-2022:1756
Comment 7 errata-xmlrpc 2022-05-10 15:15:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2074 https://access.redhat.com/errata/RHSA-2022:2074
Comment 8 Product Security DevOps Team 2022-05-12 03:15:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44141