Bug 506996 (CVE-2009-1888)

Summary: CVE-2009-1888 Samba improper file access
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: gdeschner, kreilly, mnowak, ssorce, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2009-11-19 15:01:47 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 526658, 526659, 526660, 526661, 526663    
Bug Blocks:    

Description Josh Bressers 2009-06-19 17:55:03 UTC 
A flaw was found in in Samba that could allow an authenticated attacker to
modify permissions on a file they should not have access to. Exploiting this
flaw is not trivial and a very strict set of conditions must first be met.

The conditions that need to be met to exploit this are as such:
1. You must have write access to the share
2. the 'dos filemodes' option needs to be set (not by default)
3. the random in the sbuf variable must look like a valid stat (we check it in
   the code called by can_write_to_file())

The upstream patch is here:
http://git.samba.org/?p=samba.git;a=commitdiff;h=d6c28913f3109d1327a3d1369b6eafd3874b2dca
Comment 1 Vincent Danen 2009-06-25 12:18:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1888 to
the following vulnerability:

Name: CVE-2009-1888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
Assigned: 20090602
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/security/CVE-2009-1888.html
Reference: BID:35472
Reference: URL: http://www.securityfocus.com/bid/35472
Reference: SECUNIA:35539
Reference: URL: http://secunia.com/advisories/35539
Reference: VUPEN:ADV-2009-1664
Reference: URL: http://www.vupen.com/english/advisories/2009/1664

The acl_group_override function in smbd/posix_acls.c in smbd in Samba
3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before
3.3.6, when dos filemode is enabled, allows remote attackers to modify
access control lists for files via vectors related to read access to
uninitialized memory.
Comment 2 Vincent Danen 2009-06-25 12:28:18 UTC 
The Red Hat Security Response Team has rated this issue as having low security impact, a future samba package update may address this flaw in Red Hat Enterprise Linux 4 and 5. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 8 errata-xmlrpc 2009-10-27 17:11:58 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
Comment 9 errata-xmlrpc 2009-11-16 15:39:59 UTC 
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html