Bug 1290288 (CVE-2015-5252) - CVE-2015-5252 samba: Insufficient symlink verification in smbd
Summary: CVE-2015-5252 samba: Insufficient symlink verification in smbd
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2015-5252
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1290706 1290707 1290708 1290709 1290710 1290711 1290727 1292069
Blocks: 1281327
TreeView+ depends on / blocked
 
Reported: 2015-12-10 05:01 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-05-12 14:36 UTC (History)
15 users (show)

Fixed In Version: samba 4.1.22, samba 4.2.7, samba 4.3.3
Doc Type: Bug Fix
Doc Text:
An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path.
Clone Of:
Environment:
Last Closed: 2016-01-08 12:19:22 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2016:0006 0 normal SHIPPED_LIVE Moderate: samba security update 2016-01-08 06:39:15 UTC
Red Hat Product Errata RHSA-2016:0010 0 normal SHIPPED_LIVE Moderate: samba4 security update 2016-01-08 03:43:17 UTC
Red Hat Product Errata RHSA-2016:0011 0 normal SHIPPED_LIVE Moderate: samba security update 2016-01-07 22:20:52 UTC
Red Hat Product Errata RHSA-2016:0015 0 normal SHIPPED_LIVE Moderate: samba security update 2016-01-08 15:18:26 UTC
Red Hat Product Errata RHSA-2016:0016 0 normal SHIPPED_LIVE Moderate: samba security update 2016-01-08 15:17:52 UTC

Description Huzaifa S. Sidhpurwala 2015-12-10 05:01:50 UTC
As per samba upstream advisory:


All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path.

If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is
set to "no" (the default).

For example. Given two directories on the file system:

/share/

/share1/

If a Samba share is created as follows:

[sharename]
        path = /share
        wide links = no

Then a symlink with the path

/share/symlink -> /share1/file

would be followed by smbd, due to the fact that only the string "/share" is checked to see if it matches the target path. This means a path that starts with "/share", such as "/share1" will also match.

The following mitigation was suggested by upstream:

Ensure all exported share paths do not share base path names with other directories on the file system.

Please note, setting the smb.conf variable "follow symlinks = no" is *NOT* a workaround for this problem, as this only prohibits smbd from following a symlink at the end of a path.

A symlink could be created that points to the directory which shares a base path name instead, and smbd would still follow that link. For example, with the above share definition, given a symlink of:

/share/symlink -> /share1

a client could send a relative path such as "symlink/file", which would still be followed by smbd as the end component "file" of "symlink/file" is *NOT* a symlink, and so is not affected by "follow symlinks = no".

Comment 1 Huzaifa S. Sidhpurwala 2015-12-10 06:32:25 UTC
Acknowledgements:

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Jan "Yenya" Kasprzak and the Computer Systems Unit team at Faculty of Informatics, Masaryk University as the original reporters.

Comment 6 Siddharth Sharma 2015-12-16 12:09:09 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1292069]

Comment 7 Huzaifa S. Sidhpurwala 2015-12-17 04:11:57 UTC
External References:

https://www.samba.org/samba/security/CVE-2015-5252.html

Comment 9 errata-xmlrpc 2016-01-07 17:06:47 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0010 https://rhn.redhat.com/errata/RHSA-2016-0010.html

Comment 10 errata-xmlrpc 2016-01-07 17:23:15 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0011 https://rhn.redhat.com/errata/RHSA-2016-0011.html

Comment 11 errata-xmlrpc 2016-01-08 01:40:23 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2016:0006 https://rhn.redhat.com/errata/RHSA-2016-0006.html

Comment 12 errata-xmlrpc 2016-01-08 10:19:03 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 7

Via RHSA-2016:0016 https://rhn.redhat.com/errata/RHSA-2016-0016.html

Comment 13 errata-xmlrpc 2016-01-08 10:19:49 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 6

Via RHSA-2016:0015 https://rhn.redhat.com/errata/RHSA-2016-0015.html


Note You need to log in before you can comment on or make changes to this bug.