Bug 1130703 - (CVE-2019-3870) VUL-1: CVE-2019-3870: samba: World writable files in Samba AD DC private/ dir
VUL-1: CVE-2019-3870: samba: World writable files in Samba AD DC private/ dir
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P4 - Low : Minor
: ---
Assigned To: Novell Samba Team
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-03-27 15:12 UTC by Marcus Meissner
Modified: 2019-07-21 15:44 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-27 15:12:28 UTC

CRD: 2019-04-08


== Subject:     World writable files in Samba AD DC private/ dir
== CVE ID#:     CVE-2019-3870
== Versions:    Samba 4.9 and later
== Summary:     During the provision of a new Active Directory
                DC, some files in the private/ directory are
		created world-writable.


During the creation of a new Samba AD DC, files are created in a the
private/ subdirectory of our install location.  This directory is
typically mode 0700, that is owner (root) only access.  However in
some upgraded installations it will have other permissions, such as
0755, because this was the default before Samba 4.8.

Within this directory files are created with mode 0666,
that is world-writable, including a sample krb5.conf and the list of
DNS names and servicePrincipalName values to update.

Patch Availability

Patches addressing both these issues have been posted to:


Additionally, Samba 4.9.6 and 4.10.2 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation


This score is calculated based on modification to the dns_update_list or
spn_update_list files in a default configuration.

Administrators who rely on these files in other ways might have a higher score.
For example, the sample krb5.conf might be read as input to Kerberos tools or
used as the system-wide krb5.conf (potentially via a symlink).


Assuming Samba is installed in the default location as root run:

 chmod 0700 /usr/local/samba/private

The private directory can be found in the listing from
 smbd -b| grep PRIVATE_DIR


Originally reported by Björn Baumbach of SerNet.

Patches provided by Andrew Bartlett of the Samba team and Catalyst,
advisory written by Andrew Bartlett of the Samba Team and Catalyst.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Comment 8 Marcus Meissner 2019-04-08 08:45:22 UTC
now public
Comment 9 Marcus Meissner 2019-07-21 15:44:28 UTC