Bug 922008 (CVE-2013-1863)

Summary: CVE-2013-1863 samba4: Samba 4.0 AD DC files (initially) created as world-writable if additional CIFS file shares are created on the AD DC
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, jrusnack, sbose, security-response-team
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Samba 4.0.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-01-26 22:29:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 923337    
Bug Blocks: 922017    

Description Jan Lieskovsky 2013-03-15 11:41:49 UTC 
A security flaw was found in the way Samba, when run as Active Directory Domain Controller (AD DC), performed (initial) setting of file's / directory's creation mask for CIFS shares configured to use traditional Unix's user / group / other (UGO) permissions set model as the default ACL policy for setting access policy to file system objects. When Samba was built to act as AD DC, a valid Samba user could use this flaw to in an unauthorized way read or alter content of CIFS share, that used Unix's UGO model as the default ACL policy.

Relevant upstream bug:
[1] https://bugzilla.samba.org/show_bug.cgi?id=9709 (private)


External References:
http://www.samba.org/samba/security/CVE-2013-1863
Comment 4 Huzaifa S. Sidhpurwala 2013-03-18 08:47:42 UTC 
samba4 packages in Red Hat Enterprise Linux 6 are complied with the "--without-ad-dc" flag and are therefore not affected by this vulnerability.

Statement:

Not Vulnerable. This issue does not affect the version of samba4 as shipped with Red Hat Enterprise Linux 6.
Comment 5 Huzaifa S. Sidhpurwala 2013-03-18 08:51:05 UTC 
samba4 package in Fedora-17 is not complied with the "--without-ad-dc" flag and is therefore affected by this vulnerability. 

In Fedora-18, samba4 package is called "samba" and is not affected by this flaw.
Comment 7 Jan Lieskovsky 2013-03-19 15:13:50 UTC 
Relevant upstream patch:
  http://www.samba.org/samba/ftp/patches/security/samba-4.0.3-CVE-2013-1863.patch
Comment 8 Jan Lieskovsky 2013-03-19 15:39:20 UTC 
Samba 4.0.4 announcement:
  https://lists.samba.org/archive/samba-announce/2013/000290.html

Other reference:
  http://www.samba.org/samba/history/samba-4.0.4.html
Comment 9 Jan Lieskovsky 2013-03-19 15:42:05 UTC 
Created samba4 tracking bugs for this issue

Affects: fedora-17 [bug 923337]