Bug 1691518 (CVE-2019-3880) - CVE-2019-3880 samba: save registry file outside share as unprivileged user
Summary: CVE-2019-3880 samba: save registry file outside share as unprivileged user
Status: NEW
Alias: CVE-2019-3880
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20190409,repor...
Keywords: Security
Depends On: 1696524 1696525 1696577 1697717
Blocks: 1691522
TreeView+ depends on / blocked
 
Reported: 2019-03-21 19:42 UTC by Laura Pardo
Modified: 2019-06-08 23:55 UTC (History)
28 users (show)

(edit)
A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API. An unprivileged attacker could use this flaw to create a new registry hive file anywhere they have unix permissions which could lead to creation of a new file in the Samba share.
Clone Of:
(edit)
Last Closed:


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Samba Project 13851 None None None 2019-06-14 10:32 UTC

Description Laura Pardo 2019-03-21 19:42:44 UTC
As per samba upstream advisory:

Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition.

Note - existing share restrictions such as "read only" or share ACLs do *not* prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has unix permissions to create a file.

Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created, however the presence of existing files with a specific name can be detected.

Samba writes or detects the file as the authenticated user, not as root.

Comment 1 Laura Pardo 2019-03-21 19:45:14 UTC
Acknowledgments:

Name: Michael Hanselmann

Comment 2 Dave Baker 2019-03-27 20:05:19 UTC
openshift-online-3 does not provision samba endpoints.

Comment 5 Huzaifa S. Sidhpurwala 2019-04-05 06:00:45 UTC
Note: 

This affects not only Linux <> Windows configurations but may also affect Linux <> Linux configurations using Samba as RPC endpoints. (since winreg_SaveKey RPC call is also implemented on the client side)

Comment 7 Huzaifa S. Sidhpurwala 2019-04-05 06:07:45 UTC
Mitigation:

Either turn off SMB1 by setting the global parameter:
'min protocol = SMB2'
or if SMB1 is required turn off unix extensions by setting the global parameter:
'unix extensions = no'
in the smb.conf file.

Comment 11 Doran Moppert 2019-04-09 04:04:48 UTC
External References:

https://www.samba.org/samba/security/CVE-2019-3880.html

Comment 12 Doran Moppert 2019-04-09 04:05:08 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1697717]

Comment 13 Hardik Vyas 2019-04-09 06:04:04 UTC
Statement:

This issue affects the version of samba shipped with Red Hat Gluster Storage 3, as it contains the vulnerable functionality.


Note You need to log in before you can comment on or make changes to this bug.