Bug 1213171 (CVE-2023-34968)

Summary: VUL-0: CVE-2023-34968: samba: Spotlight server-side Share Path Disclosure
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, nopower, samba-maintainers, scabrero, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/371611/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-34968:5.3:(AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 11 Robert Frohl 2023-07-19 16:00:07 UTC 
===========================================================
== Subject:     Spotlight server-side Share Path Disclosure
==
== CVE ID#:     CVE-2023-34968
==
== Versions:    All versions of Samba prior to 4.18.5,
                4.17.10 and 4.16.11.
==
== Summary:     As part of the Spotlight protocol Samba
==              discloses the server-side absolute path of
==              shares and files and directories in search
==              results.
===========================================================

===========
Description
===========

As part of the Spotlight protocol, the initial request
returns a path associated with the sharename targeted by
the RPC request. Samba returns the real server-side share
path at this point, as well as returning the absolute
server-side path of results in search queries by clients.

Known server side paths could be used to mount subsequent
more serious security attacks or could disclose confidential
information that is part of the path.

To mitigate the issue, Samba will replace the real server-side
path with a fake path constructed from the sharename.

Important change in mdscli RPC library and mdsearch command
-----------------------------------------------------------

As the absolute paths starting with the sharename prefix are
not usable on the client side, the mdscli RPC library and
hence the mdsearch command will from now on report paths of
search results as relative paths relative to the root of the
SMB share.

Given a share

  [spotlight]
    path = /foo/bar
    spotlight = yes

and a file inside this share with a full server-side path of

  /foo/bar/dir/file

previously a search that matched this file would return the
absolute server-side path of the file

  /foo/bar/dir/file

which is now changed to

  dir/file

by this patchset.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.18.5, 4.17.10 and 4.16.11 have been issued
as security releases to correct the defect.  Samba administrators
are advised to upgrade to these releases or apply the patch as
soon as possible.

==================
CVSSv3 calculation
==================

CVSS 3.0: AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (5.3)

==========
Workaround
==========

As a possible workaround disable Spotlight by removing all
configuration stanzas that enable Spotlight ("spotlight =
yes|true").

=======
Credits
=======

Originally reported by Ralph Boehme and Stefan Metzmacher
of SerNet and the Samba team.

Patches provided by Ralph Boehme of SerNet and the Samba
team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

https://www.samba.org/samba/security/CVE-2023-34968.html
Comment 12 Maintenance Automation 2023-07-19 20:35:15 UTC 
SUSE-SU-2023:2888-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1213171, 1213172, 1213173, 1213174, 1213384
CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1
SUSE Linux Enterprise Server 12 SP5 (src): samba-4.15.13+git.621.c8ae836ff82-3.85.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Maintenance Automation 2023-07-31 12:30:14 UTC 
SUSE-SU-2023:3060-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1213171, 1213172, 1213173, 1213174, 1213384
CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise Real Time 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5
SUSE Manager Server 4.2 (src): samba-4.15.13+git.663.9c654e06cdb-150300.3.57.5

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Maintenance Automation 2023-07-31 16:30:12 UTC 
SUSE-SU-2023:3066-1: An update that solves four vulnerabilities and has one fix can now be installed.

Category: security (important)
Bug References: 1213171, 1213172, 1213173, 1213174, 1213384
CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
SUSE Enterprise Storage 7 (src): samba-4.13.13+git.643.8caa136952b-150200.3.26.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Samuel Cabrero 2023-08-29 07:15:07 UTC 
Reassigned to security team to close it.
Comment 18 Samuel Cabrero 2023-10-09 12:07:33 UTC 
All code streams submitted, reassign to security team to close it.
Comment 20 Maintenance Automation 2024-02-27 12:30:30 UTC 
SUSE-SU-2023:2929-1: An update that solves six vulnerabilities and has two security fixes can now be installed.

Category: security (important)
Bug References: 1212375, 1213170, 1213171, 1213172, 1213173, 1213174, 1213384, 1213386
CVE References: CVE-2020-25720, CVE-2022-2127, CVE-2023-3347, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
openSUSE Leap 15.5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1
Basesystem Module 15-SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.367.dae41ffdd1f-150500.3.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Maintenance Automation 2024-02-27 12:30:33 UTC 
SUSE-SU-2023:2930-1: An update that solves four vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1213171, 1213172, 1213173, 1213174, 1213384
CVE References: CVE-2022-2127, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968
Sources used:
openSUSE Leap 15.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
openSUSE Leap Micro 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
openSUSE Leap Micro 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
SUSE Linux Enterprise Micro 5.4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
Basesystem Module 15-SP4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.663.9c654e06cdb-150400.3.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Andrea Mattiazzo 2024-06-12 07:32:16 UTC 
All done, closing.