Bug 2241881 (CVE-2023-3961)

Summary: CVE-2023-3961 samba: smbd allows client access to unix domain sockets on the file system as root
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nobody, pfilipen, rhs-smb, security-response-team, stefano.biagiotti
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.19.1, samba 4.18.8, samba 4.17.12 Doc Type: If docs needed, set a value
Doc Text:
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241916, 2243228    
Bug Blocks: 2228383    

Description TEJ RATHI 2023-10-03 07:34:21 UTC 
Samba internally connects client pipe names to unix domain sockets within a private directory, allowing clients to connect to services listening on those sockets. However, insufficient sanitization was done on the incoming client pipe names, allowing SMB clients to connect as root to existing unix domain sockets on the file system, meaning if a client could send a pipe name that resolved to an external service using an existing unix domain socket, the client would be able to connect to it without filesystem permissions restricting access.

https://bugzilla.samba.org/show_bug.cgi?id=15422
Comment 2 TEJ RATHI 2023-10-11 10:39:09 UTC 
This CVE is now Public:
https://www.samba.org/samba/security/CVE-2023-3961.html
Comment 3 TEJ RATHI 2023-10-11 10:40:58 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2243228]
Comment 4 errata-xmlrpc 2023-10-31 10:05:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6209 https://access.redhat.com/errata/RHSA-2023:6209
Comment 5 errata-xmlrpc 2023-11-07 10:08:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6744 https://access.redhat.com/errata/RHSA-2023:6744
Comment 6 errata-xmlrpc 2023-11-21 11:17:23 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7371 https://access.redhat.com/errata/RHSA-2023:7371
Comment 7 errata-xmlrpc 2023-11-21 11:42:35 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7408 https://access.redhat.com/errata/RHSA-2023:7408
Comment 8 errata-xmlrpc 2023-11-22 17:27:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7464 https://access.redhat.com/errata/RHSA-2023:7464
Comment 9 errata-xmlrpc 2023-11-22 17:29:45 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7467 https://access.redhat.com/errata/RHSA-2023:7467