1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2021-43566.html:</H2>
15 ===========================================================
16 == Subject: Symlink race error can allow directory creation
17 == outside of the exported share.
19 == CVE ID#: CVE-2021-43566
22 == Versions: All versions of the Samba file server prior to
25 == Summary: A malicious client can use a symlink race to
26 == create a directory in a part of the server file
27 == system not exported under the share definition.
28 == The user must have permissions to create the
29 == directory in the target directory.
30 ===========================================================
36 All versions of Samba prior to 4.13.16 are vulnerable to a malicious
37 client using an SMB1 or NFS symlink race to allow a directory to be
38 created in an area of the server file system not exported under the
39 share definition. Note that SMB1 has to be enabled, or the share
40 also available via NFS in order for this attack to succeed.
42 Clients that have write access to the exported part of the file system
43 under a share via SMB1 unix extensions or NFS can create symlinks that
44 can race the server by renaming an existing path and then replacing it
45 with a symlink. If the client wins the race it can cause the server to
46 create a directory under the new symlink target after the exported
47 share path check has been done. This new symlink target can point to
48 anywhere on the server file system. The authenticated user must have
49 permissions to create a directory under the target directory of the
52 This is a difficult race to win, but theoretically possible. Note that
53 the proof of concept code supplied wins the race only when the server
54 is slowed down and put under heavy load. Exploitation of this bug has
55 not been seen in the wild.
61 Patches addressing this issue has been posted to:
63 https://www.samba.org/samba/security/
65 Samba 4.13.16 has been issued as a security releases to correct the
66 defect. Samba administrators are advised to upgrade to this release as
73 CVSS:2.2/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N
77 =================================
78 Workaround and mitigating factors
79 =================================
81 Do not enable SMB1 (please note SMB1 is disabled by default in Samba
82 from version 4.11.0 and onwards). This prevents the creation of
83 symbolic links via SMB1. If SMB1 must be enabled for backwards
84 compatibility then add the parameter:
88 to the [global] section of your smb.conf and restart smbd. This
89 prevents SMB1 clients from creating symlinks on the exported file
92 However, if the same region of the file system is also exported using
93 NFS, NFS clients can create symlinks that potentially can also hit the
94 race condition. For non-patched versions of Samba we recommend only
95 exporting areas of the file system by either SMB2 or NFS, not both.
101 Reported by Michael Hanselmann of Google.
102 Jeremy Allison of Google and the Samba Team provided the fix.
104 ==========================================================
105 == Our Code, Our Bugs, Our Responsibility.
107 ==========================================================