Bug 1215904 (CVE-2023-4091)

Summary: VUL-0: CVE-2023-4091: samba: Client can truncate file with read-only permissions
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: SUSE Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: gabriele.sonnu, meissner, nopower, stoyan.manolov
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/380666/
Whiteboard: CVSSv3.1:SUSE:CVE-2023-4091:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 6 Marcus Meissner 2023-10-10 14:58:38 UTC 
https://www.samba.org/samba/security/CVE-2023-4091.html


CVE-2023-4091.html:

===========================================================
== Subject:     SMB clients can truncate files with
==              read-only permissions
==
== CVE ID#:     CVE-2023-4091
==
== Versions:    All Samba versions
==
== Summary:     SMB client can truncate files to 0 bytes
==              by opening files with OVERWRITE disposition
==              when using the acl_xattr Samba VFS module
==              with the smb.conf setting
==              "acl_xattr:ignore system acls = yes"
===========================================================

===========
Description
===========

The SMB protocol allows opening files where the client
requests read-only access, but then implicitly truncating
the opened file if the client specifies a separate OVERWRITE
create disposition.

This operation requires write access to the file, and in the
default Samba configuration the operating system kernel will
deny access to open a read-only file for read/write (which
the truncate operation requires).

However, when Samba has been configured to ignore kernel
file system permissions, Samba will truncate a file when the
underlying operating system kernel would deny the operation.

Affected Samba configurations are the ones where kernel
file-system permission checks are bypassed, relying on
Samba's own permission enforcement.  The error is that this
check is done against the client request for read-only
access, and not the implicitly requested read-write (for
truncate) one.

The widely used Samba VFS module "acl_xattr" when configured
with the module configuration parameter "acl_xattr:ignore
system acls = yes" is the only upstream Samba module that
allows this behavior and is the only known method of
reproducing this security flaw.

If (as is the default) the module configuration parameter
"acl_xattr:ignore system acls=no", then the Samba server is
not vulnerable to this attack.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have
been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these
releases or apply the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com>
from Nasuni.

Patches provided by Ralph Böhme of SerNet and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 7 Maintenance Automation 2023-10-10 16:35:26 UTC 
SUSE-SU-2023:4040-1: An update that solves one vulnerability can now be installed.

Category: security (moderate)
Bug References: 1215904
CVE References: CVE-2023-4091
Sources used:
SUSE Linux Enterprise Software Development Kit 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1
SUSE Linux Enterprise High Performance Computing 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1
SUSE Linux Enterprise Server 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1
SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1
SUSE Linux Enterprise High Availability Extension 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Maintenance Automation 2023-10-11 08:35:11 UTC 
SUSE-SU-2023:4046-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215904, 1215905, 1215906, 1215907, 1215908
CVE References: CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, CVE-2023-42670
Sources used:
openSUSE Leap 15.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
SUSE Linux Enterprise Micro 5.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
Basesystem Module 15-SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Maintenance Automation 2023-10-12 12:46:22 UTC 
SUSE-SU-2023:4059-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1213940, 1215904, 1215905, 1215908
CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669
Sources used:
openSUSE Leap 15.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
Basesystem Module 15-SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Maintenance Automation 2023-10-17 16:30:18 UTC 
SUSE-SU-2023:4096-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215904, 1215905, 1215908
CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669
Sources used:
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.