Bug 2046120 (CVE-2021-44141) - CVE-2021-44141 samba: Information leak via symlinks of existance of files or directories outside of the exported share
Summary: CVE-2021-44141 samba: Information leak via symlinks of existance of files or ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-44141
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2046127 2046129 2046262 2048566
Blocks: 2046121
TreeView+ depends on / blocked
 
Reported: 2022-01-26 09:57 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-07-11 13:31 UTC (History)
16 users (show)

Fixed In Version: samba 4.13.17, samba 4.14.12, samba 4.15.4
Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Samba due to an insecure link following. By querying a symlink inside the exported share using SMB1 with unix extensions turned on, an attacker can discover if a named or directory exists on the filesystem outside the exported share. This flaw allows a remote authenticated attacker to obtain sensitive information.
Clone Of:
Environment:
Last Closed: 2022-05-12 03:15:15 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1756 0 None None None 2022-05-10 04:16:01 UTC
Red Hat Product Errata RHSA-2022:2074 0 None None None 2022-05-10 15:15:39 UTC
Samba Project 14911 0 None None None 2022-01-28 14:29:38 UTC

Description Huzaifa S. Sidhpurwala 2022-01-26 09:57:29 UTC 
As per samba upstream advisory:

All versions of Samba prior to 4.15.4 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.

Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or via NFS can create symlinks that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to determine if the target of the symlink exists or not by examining error codes returned from the smbd server. There is no ability to access these files or directories, only to determine if they exist or not.
Comment 4 Huzaifa S. Sidhpurwala 2022-01-31 14:19:44 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2048566]
Comment 5 Tomas Hoger 2022-05-06 09:18:22 UTC 
Upstream advisory:
https://www.samba.org/samba/security/CVE-2021-44141.html
Comment 6 errata-xmlrpc 2022-05-10 04:15:58 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2022:1756 https://access.redhat.com/errata/RHSA-2022:1756
Comment 7 errata-xmlrpc 2022-05-10 15:15:37 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:2074 https://access.redhat.com/errata/RHSA-2022:2074
Comment 8 Product Security DevOps Team 2022-05-12 03:15:12 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-44141
Note You need to log in before you can comment on or make changes to this bug.