Samba internally connects client pipe names to unix domain sockets within a private directory, allowing clients to connect to services listening on those sockets. However, insufficient sanitization was done on the incoming client pipe names, allowing SMB clients to connect as root to existing unix domain sockets on the file system, meaning if a client could send a pipe name that resolved to an external service using an existing unix domain socket, the client would be able to connect to it without filesystem permissions restricting access. https://bugzilla.samba.org/show_bug.cgi?id=15422
This CVE is now Public: https://www.samba.org/samba/security/CVE-2023-3961.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2243228]
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Extended Update Support Via RHSA-2023:6209 https://access.redhat.com/errata/RHSA-2023:6209
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:6744 https://access.redhat.com/errata/RHSA-2023:6744
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Extended Update Support Via RHSA-2023:7371 https://access.redhat.com/errata/RHSA-2023:7371
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Extended Update Support Via RHSA-2023:7408 https://access.redhat.com/errata/RHSA-2023:7408
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Extended Update Support Via RHSA-2023:7464 https://access.redhat.com/errata/RHSA-2023:7464
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2023:7467 https://access.redhat.com/errata/RHSA-2023:7467