Bug 1130703 – VUL-1: CVE-2019-3870: samba: World writable files in Samba AD DC private/ dir

Bug 1130703 - (CVE-2019-3870) VUL-1: CVE-2019-3870: samba: World writable files in Samba AD DC private/ dir

(CVE-2019-3870)
Summary:	VUL-1: CVE-2019-3870: samba: World writable files in Samba AD DC private/ dir

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Novell Samba Team
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/227196/
Whiteboard:
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2019-03-27 15:12 UTC by Marcus Meissner
Modified:	2019-07-21 15:44 UTC (History)
CC List:	3 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Meissner 2019-03-27 15:12:28 UTC

CVE-2019-3870

CRD: 2019-04-08

https://bugzilla.samba.org/show_bug.cgi?id=13834

===========================================================
== Subject:     World writable files in Samba AD DC private/ dir
==
== CVE ID#:     CVE-2019-3870
==
== Versions:    Samba 4.9 and later
==
== Summary:     During the provision of a new Active Directory
                DC, some files in the private/ directory are
		created world-writable.
===========================================================

===========
Description
===========

During the creation of a new Samba AD DC, files are created in a the
private/ subdirectory of our install location.  This directory is
typically mode 0700, that is owner (root) only access.  However in
some upgraded installations it will have other permissions, such as
0755, because this was the default before Samba 4.8.

Within this directory files are created with mode 0666,
that is world-writable, including a sample krb5.conf and the list of
DNS names and servicePrincipalName values to update.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.9.6 and 4.10.2 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H

This score is calculated based on modification to the dns_update_list or
spn_update_list files in a default configuration.

Administrators who rely on these files in other ways might have a higher score.
For example, the sample krb5.conf might be read as input to Kerberos tools or
used as the system-wide krb5.conf (potentially via a symlink).

==========
Workaround
==========

Assuming Samba is installed in the default location as root run:

 chmod 0700 /usr/local/samba/private

The private directory can be found in the listing from
 smbd -b| grep PRIVATE_DIR

=======
Credits
=======

Originally reported by Björn Baumbach of SerNet.

Patches provided by Andrew Bartlett of the Samba team and Catalyst,
advisory written by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Comment 8 Marcus Meissner 2019-04-08 08:45:22 UTC

now public

Comment 9 Marcus Meissner 2019-07-21 15:44:28 UTC

done