Bug 506996 (CVE-2009-1888) - CVE-2009-1888 Samba improper file access
Summary: CVE-2009-1888 Samba improper file access
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2009-1888
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 526658 526659 526660 526661 526663
Blocks:
TreeView+ depends on / blocked
 
Reported: 2009-06-19 17:55 UTC by Josh Bressers
Modified: 2021-11-12 19:58 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2009-11-19 15:01:47 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1529 0 normal SHIPPED_LIVE Moderate: samba security update 2009-10-27 17:11:52 UTC
Red Hat Product Errata RHSA-2009:1585 0 normal SHIPPED_LIVE Moderate: samba3x security and bug fix update 2009-11-16 15:39:53 UTC

Description Josh Bressers 2009-06-19 17:55:03 UTC 
A flaw was found in in Samba that could allow an authenticated attacker to
modify permissions on a file they should not have access to. Exploiting this
flaw is not trivial and a very strict set of conditions must first be met.

The conditions that need to be met to exploit this are as such:
1. You must have write access to the share
2. the 'dos filemodes' option needs to be set (not by default)
3. the random in the sbuf variable must look like a valid stat (we check it in
   the code called by can_write_to_file())

The upstream patch is here:
http://git.samba.org/?p=samba.git;a=commitdiff;h=d6c28913f3109d1327a3d1369b6eafd3874b2dca
Comment 1 Vincent Danen 2009-06-25 12:18:04 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2009-1888 to
the following vulnerability:

Name: CVE-2009-1888
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1888
Assigned: 20090602
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.0.34-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.2.12-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/ftp/patches/security/samba-3.3.5-CVE-2009-1888.patch
Reference: CONFIRM: http://www.samba.org/samba/security/CVE-2009-1888.html
Reference: BID:35472
Reference: URL: http://www.securityfocus.com/bid/35472
Reference: SECUNIA:35539
Reference: URL: http://secunia.com/advisories/35539
Reference: VUPEN:ADV-2009-1664
Reference: URL: http://www.vupen.com/english/advisories/2009/1664

The acl_group_override function in smbd/posix_acls.c in smbd in Samba
3.0.x before 3.0.35, 3.1.x and 3.2.x before 3.2.13, and 3.3.x before
3.3.6, when dos filemode is enabled, allows remote attackers to modify
access control lists for files via vectors related to read access to
uninitialized memory.
Comment 2 Vincent Danen 2009-06-25 12:28:18 UTC 
The Red Hat Security Response Team has rated this issue as having low security impact, a future samba package update may address this flaw in Red Hat Enterprise Linux 4 and 5. More information regarding issue severity can be found here:

http://www.redhat.com/security/updates/classification/
Comment 8 errata-xmlrpc 2009-10-27 17:11:58 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 4
  Red Hat Enterprise Linux 5

Via RHSA-2009:1529 https://rhn.redhat.com/errata/RHSA-2009-1529.html
Comment 9 errata-xmlrpc 2009-11-16 15:39:59 UTC 
This issue has been addressed in following products:

  Extras for Red Hat Enterprise Linux 5

Via RHSA-2009:1585 https://rhn.redhat.com/errata/RHSA-2009-1585.html
Note You need to log in before you can comment on or make changes to this bug.