Bug 1131060 (CVE-2019-3880) - VUL-0: CVE-2019-3880: samba: Save registry file outside share as unprivileged user in Samba 4.x
Summary: VUL-0: CVE-2019-3880: samba: Save registry file outside share as unprivileged...
Status: RESOLVED FIXED
Alias: CVE-2019-3880
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: SUSE Samba Team
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/228474/
Whiteboard: CVSSv3:SUSE:CVE-2019-3880:5.4:(AV:N/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-03-30 07:05 UTC by Marcus Meissner
Modified: 2020-06-09 11:39 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Marcus Meissner 2019-03-30 07:05:35 UTC
EMBARGOED VIA samba vendor

CRD: 2019-04-08

https://bugzilla.samba.org/show_bug.cgi?id=13851

===========================================================
== Subject:     Save registry file outside share as unprivileged user
==
== CVE ID#:     CVE-2019-3880
==
== Versions:    All versions of Samba since Samba 3.2.0
==
== Summary:     Authenticated users with write permission
                can trigger a symlink traversal to write
		files outside the Samba share.
===========================================================

===========
Description
===========

Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, "winreg_SaveKey", is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.

Note - existing share restrictions such as "read only" or share ACLs
do *not* prevent new registry hive files being written to the
filesystem. A file may be written under any share definition wherever
the user has unix permissions to create a file.

Existing files cannot be overwritten using this vulnerability, only
new registry hive files can be created.

Samba writes the file as the authenticated user, not as root.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.8.11, 4.9.6 and 4.10.2 have been issued as
security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

==========
Workaround
==========

If the areas of the filesystem being exported by all share definitions
have no symlinks pointing outside the shared areas, the attacker can
only create new files inside the shared areas.

Is the server is exporting SMB1 shares, and the global parameter 'unix
extensions = yes' is set (the default value), then an attacker can
create symbolic links that point outside the share definitions to
allow registry hive files to be created wherever the symlink points to
(so long as no existing file is present).

Either turn off SMB1 by setting the global parameter:

'min protocol =SMB2'

or if SMB1 is required turn off unix extensions by setting the global
parameter:

'unix extensions = no'

in the smb.conf file.

=======
Credits
=======

Originally reported by Michael Hanselmann.

Patches provided by Jeremy Allison of the Samba Team and Google.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 1 Marcus Meissner 2019-04-01 13:09:29 UTC
CRD: 2019-04-08
Comment 4 Marcus Meissner 2019-04-08 08:44:49 UTC
now public
Comment 6 Swamp Workflow Management 2019-04-10 10:10:03 UTC
openSUSE-SU-2019:1180-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1114407,1124223,1125410,1126377,1131060,1131686
CVE References: CVE-2019-3880
Sources used:
openSUSE Leap 15.0 (src):    ldb-1.2.4-lp150.10.1, samba-4.7.11+git.153.b36ceaf2235-lp150.3.14.1

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-04-25 16:15:00 UTC
SUSE-SU-2019:1037-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1099590,1123755,1124223,1127153,1131060
CVE References: CVE-2019-3880
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise Server 12-SP4 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise High Availability 12-SP4 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise Desktop 12-SP4 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.16+git.154.2998451b912-3.40.3
SUSE Enterprise Storage 5 (src):    samba-4.6.16+git.154.2998451b912-3.40.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2019-04-25 22:10:19 UTC
SUSE-SU-2019:1040-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (important)
Bug References: 1114407,1124223,1125410,1126377,1131060,1131686
CVE References: CVE-2019-3880
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    avahi-0.6.32-5.5.3, samba-4.7.11+git.153.b36ceaf2235-4.27.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, gnutls-3.6.2-6.5.4, ldb-1.2.4-3.12.1, libnettle-3.4.1-4.9.1, samba-4.7.11+git.153.b36ceaf2235-4.27.1, tdb-1.3.15-3.6.3, tevent-0.9.36-4.10.3
SUSE Linux Enterprise Module for Development Tools 15 (src):    cups-2.2.7-3.11.7
SUSE Linux Enterprise Module for Desktop Applications 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, cups-2.2.7-3.11.7, gnutls-3.6.2-6.5.4, libnettle-3.4.1-4.9.1, libtasn1-4.13-4.2.1, p11-kit-0.23.2-4.2.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    avahi-0.6.32-5.5.3, avahi-glib2-0.6.32-5.5.8, cups-2.2.7-3.11.7, gamin-devel-0.1.10-3.2.3, gnutls-3.6.2-6.5.4, ldb-1.2.4-3.12.1, libnettle-3.4.1-4.9.1, libtasn1-4.13-4.2.1, p11-kit-0.23.2-4.2.1, samba-4.7.11+git.153.b36ceaf2235-4.27.1, talloc-2.1.11-3.5.3, talloc-man-2.1.11-3.5.3, tdb-1.3.15-3.6.3, tevent-0.9.36-4.10.3, tevent-man-0.9.36-4.10.3
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.153.b36ceaf2235-4.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2019-04-29 13:14:04 UTC
openSUSE-SU-2019:1292-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1099590,1123755,1124223,1127153,1131060
CVE References: CVE-2019-3880
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.16+git.154.2998451b912-27.1
Comment 11 Swamp Workflow Management 2019-05-08 19:12:14 UTC
SUSE-SU-2019:1195-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1106119,1131060
CVE References: CVE-2019-3880
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.32.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.32.1
SUSE Enterprise Storage 4 (src):    samba-4.2.4-28.32.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Swamp Workflow Management 2019-05-08 19:13:26 UTC
SUSE-SU-2019:1194-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1106119,1131060
CVE References: CVE-2019-3880
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.52.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 13 Marcus Meissner 2019-05-10 14:51:42 UTC
done
Comment 14 Swamp Workflow Management 2019-05-10 19:10:35 UTC
SUSE-SU-2019:14042-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1101499,1131060
CVE References: CVE-2019-3880
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    samba-3.6.3-94.19.2, samba-doc-3.6.3-94.19.2
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-94.19.2, samba-doc-3.6.3-94.19.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.19.2
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-94.19.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2019-05-10 19:17:41 UTC
SUSE-SU-2019:1203-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1087481,1106119,1114459,1126463,1131060
CVE References: CVE-2019-3880
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.4.2-38.25.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.4.2-38.25.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.4.2-38.25.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.4.2-38.25.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.25.1
SUSE Enterprise Storage 4 (src):    samba-4.4.2-38.25.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.