1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2019-3880.html:</H2>
15 ===========================================================
16 == Subject: Save registry file outside share as unprivileged user
18 == CVE ID#: CVE-2019-3880
20 == Versions: All versions of Samba since Samba 3.2.0
22 == Summary: Authenticated users with write permission
23 can trigger a symlink traversal to write
24 or detect files outside the Samba share.
25 ===========================================================
31 Samba contains an RPC endpoint emulating the Windows registry service
32 API. One of the requests, "winreg_SaveKey", is susceptible to a
33 path/symlink traversal vulnerability. Unprivileged users can use it to
34 create a new registry hive file anywhere they have unix permissions to
35 create a new file within a Samba share. If they are able to create
36 symlinks on a Samba share, they can create a new registry hive file
37 anywhere they have write access, even outside a Samba share
40 Note - existing share restrictions such as "read only" or share ACLs
41 do *not* prevent new registry hive files being written to the
42 filesystem. A file may be written under any share definition wherever
43 the user has unix permissions to create a file.
45 Existing files cannot be overwritten using this vulnerability, only
46 new registry hive files can be created, however the presence of
47 existing files with a specific name can be detected.
49 Samba writes or detects the file as the authenticated user, not as root.
55 Patches addressing both these issues have been posted to:
57 http://www.samba.org/samba/security/
59 Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as
60 security releases to correct the defect. Samba administrators are
61 advised to upgrade to these releases or apply the patch as soon as
68 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L (6.3)
74 If the areas of the filesystem being exported by all share definitions
75 have no symlinks pointing outside the shared areas, the attacker can
76 only create new files inside the shared areas.
78 Is the server is exporting SMB1 shares, and the global parameter 'unix
79 extensions = yes' is set (the default value), then an attacker can
80 create symbolic links that point outside the share definitions to
81 allow registry hive files to be created wherever the symlink points to
82 (so long as no existing file is present).
84 Either turn off SMB1 by setting the global parameter:
88 or if SMB1 is required turn off unix extensions by setting the global
91 'unix extensions = no'
99 Originally reported by Michael Hanselmann.
101 Patches provided by Jeremy Allison of the Samba Team and Google.
102 Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
104 ==========================================================
105 == Our Code, Our Bugs, Our Responsibility.
107 ==========================================================