1309992 – (CVE-2015-7560) CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path

Bug 1309992 (CVE-2015-7560) - CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path

Summary: CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2015-7560
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1314667 1314668 1314669 1314670 1314671 1314672 1314673 1314674 1315942
Blocks:	1309971
TreeView+	depends on / blocked

Reported:	2016-02-19 07:27 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-17 04:20 UTC (History)
CC List:	14 users (show)
Fixed In Version:	samba 4.4.0rc4, samba 4.3.6, samba 4.2.9, samba 4.1.23
Clone Of:
Environment:
Last Closed:	2016-03-24 02:50:01 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2016:0447	normal	SHIPPED_LIVE	Moderate: samba security and bug fix update	2016-03-15 16:30:59 UTC
Red Hat Product Errata	RHSA-2016:0448	normal	SHIPPED_LIVE	Moderate: samba security update	2016-03-15 17:18:30 UTC
Red Hat Product Errata	RHSA-2016:0449	normal	SHIPPED_LIVE	Moderate: samba4 security update	2016-03-15 16:30:43 UTC
Samba Project	11648	None	None	None	2016-03-08 11:35:10 UTC

Description Huzaifa S. Sidhpurwala 2016-02-19 07:27:25 UTC

As per upstream security advisory:

All versions of Samba from 3.2.0 to 4.3.3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.

Comment 1 Andreas Schneider 2016-02-26 08:39:46 UTC

Workaround
==========

Add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd.

Alternatively, prohibit the use of SMB1 by setting the parameter:

server min protocol = SMB2

to the [global] section of your smb.conf and restart smbd.

Comment 5 Siddharth Sharma 2016-03-09 04:28:26 UTC

Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1315942]

Comment 6 Huzaifa S. Sidhpurwala 2016-03-09 04:37:04 UTC

External References:

https://www.samba.org/samba/security/CVE-2015-7560.html

Comment 7 Siddharth Sharma 2016-03-09 09:59:30 UTC

Acknowledgment:

Name: the Samba project
Upstream: Jeremy Allison (Google), the Samba team

Comment 9 Siddharth Sharma 2016-03-15 06:14:45 UTC

Upstream Patches:

Samba/master

[Patch: 01/12] https://git.samba.org/?p=samba.git;a=patch;h=841ae4a2e297d9d2211d8fb79c8f180ae295aae9
[Patch: 02/12] https://git.samba.org/?p=samba.git;a=patch;h=19eb1c9311955b769afdc9ff593a21800424cf27
[Patch: 03/12] https://git.samba.org/?p=samba.git;a=patch;h=6b61b5448a96c762ddae36e5055050c5ca869ea2
[Patch: 04/12] https://git.samba.org/?p=samba.git;a=patch;h=e7e23e96478870a3bf37b8b2d984890feabcf808
[Patch: 05/12] https://git.samba.org/?p=samba.git;a=patch;h=77b3d5b2a8848303070ba2e44476534885469a00
[Patch: 06/12] https://git.samba.org/?p=samba.git;a=patch;h=3f491d77567ddc1b51f6c77c94d26b4d4cc2e5d0
[Patch: 07/12] https://git.samba.org/?p=samba.git;a=patch;h=464d044145faa6db166e9bf4c080a3dd15422834
[Patch: 08/12] https://git.samba.org/?p=samba.git;a=patch;h=0be0b755cdd2a74cf364e69c3babeb714244a604
[Patch: 09/12] https://git.samba.org/?p=samba.git;a=patch;h=5941d75fd4380455d6e0552e8f92b5e7c0c356d6
[Patch: 10/12] https://git.samba.org/?p=samba.git;a=patch;h=9ee4ddd36656370e252405fae07ddd7b782f28bd
[Patch: 11/12] https://git.samba.org/?p=samba.git;a=patch;h=306a7f39add1f0b58b2705499405b7d81bf36793
[Patch: 12/12] https://git.samba.org/?p=samba.git;a=patch;h=b551cd83ef74340adaf88629a9ee9fa5c5215ec6

Comment 13 errata-xmlrpc 2016-03-15 12:31:14 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2016:0449 https://rhn.redhat.com/errata/RHSA-2016-0449.html

Comment 14 errata-xmlrpc 2016-03-15 12:31:29 UTC

This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.1 for RHEL 7
  Red Hat Gluster Storage 3.1 for RHEL 6

Via RHSA-2016:0447 https://rhn.redhat.com/errata/RHSA-2016-0447.html

Comment 15 errata-xmlrpc 2016-03-15 13:19:01 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7
  Red Hat Enterprise Linux 6

Via RHSA-2016:0448 https://rhn.redhat.com/errata/RHSA-2016-0448.html

Note You need to log in before you can comment on or make changes to this bug.