Red Hat Bugzilla – Bug 562156
CVE-2010-0547 samba: mount.cifs improper device name and mountpoint strings sanitization
Last modified: 2011-08-30 02:51:12 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-0547 to
the following vulnerability:
client/mount.cifs.c in mount.cifs in smbfs in Samba 3.4.5 and earlier
does not verify that the (1) device name and (2) mountpoint strings
are composed of valid characters, which allows local users to cause a
denial of service (mtab corruption) via a crafted string.
Issue severity note:
To local, unprivileged user would be able to exploit this
flaw (to corrupt system's /etc/mtab file), the relevant
mount.cifs utility, present on the system has to be setuid
root enabled (otherwise the attacker is NOT able to mount
custom CIFS share, thus add records to the system table of the
mounted devices). The mount.cifs utility, shipped within
samba-client package in Red Hat Enterprise Linux 4 and 5
is NOT setuid root enabled in the default configuration,
which mitigates the impact of this flaw.
This issue does NOT affect the version of the samba package,
as shipped with Red Hat Enterprise Linux 3.
This issue affects (but with quite limited impact) the versions
of the samba package, as shipped with Red Hat Enterprise Linux 4
and Red Hat Enterprise Linux 5.
This issue affects (but with quite limited impact) the version
of the samba3x package, as shipped with Red Hat Enterprise Linux 5
This issue does NOT affect the versions of the samba package,
as shipped with Fedora release of 11 and 12. Samba packages for
these two Fedora releases has been already updated:
a, samba-3.4.5-0.47.fc11 contains the relevant fix for Fedora-11
b, samba-3.4.5-55.fc12 contains the relevant fix for Fedora-12
For more information please proceed to CVE-2010-0787 Red Hat
and the subsequent comments in :
Noting some context details for posterity... This flaw actually exposed a bug (failure to escape \n character properly) in glibc's addmntent() implementation, which got CVE-2010-0296 id assigned, see bug #559579 for details. This flaw got addressed in both glibc and samba/cifs-utils:
- glibc added proper escaping of \n; the issue was fixed in Red Hat Enterprise Linux 6 before the initial release, and updates were made available for Red Hat Enterprise Linux 5 (RHSA-2011:0412)
- samba/cifs-utils added a check for \n in share and directory names, causing it to print an error message and exit without trying to mount the share and update mtab in such case; this fix was included in the cifs-utils included in the Red Hat Enterprise Linux 6 initial release, and was added to samba3x packages in Red Hat Enterprise Linux 5 as part of the rebase to version 3.5.4 (RHBA-2011:0054) in Red Hat Enterprise Linux 5.6
However, the samba/cifs-utils fix contained and error which caused mount.cifs to print error message when share or directory name with \n was encountered, but still proceed to try to mount the share and update mtab. This could still result in mtab corruptions on systems that do not have glibc fix. This incomplete fix issue is now tracked as CVE-2011-2724, bug #726691.
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Via RHSA-2011:1219 https://rhn.redhat.com/errata/RHSA-2011-1219.html