Bug 1191227 - (CVE-2021-20316) VUL-1: CVE-2021-20316: samba: Symlink race error can allow metadata read and modify outside of the exported share
(CVE-2021-20316)
VUL-1: CVE-2021-20316: samba: Symlink race error can allow metadata read and ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P4 - Low : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/311509/
CVSSv3.1:SUSE:CVE-2021-20316:5.9:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-10-01 13:33 UTC by Marcus Meissner
Modified: 2022-06-21 11:36 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2021-10-28 08:38:00 UTC
CRD: 2022-01-10
Comment 5 Marcus Meissner 2022-01-10 15:11:38 UTC
public now

https://www.samba.org/samba/security/CVE-2021-20316.html


CVE-2021-20316.html:

===========================================================
== Subject:     Symlink race error can allow metadata read
==              and modify outside of the exported share.
==
== CVE ID#:     CVE-2021-20316
==
==
== Versions:    All versions of the Samba file server prior to
==              4.15.0
==
== Summary:     A malicious client can use a symlink race to
==              access or modify file or directory metadata
==              information outside of the exported share.
==              The user must have permissions to read or write
==              the metadata on the accessed file or directory.
===========================================================

===========
Description
===========

All versions of Samba prior to 4.15.0 are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow filesystem metadata
to be accessed in an area of the server file system not exported under
the share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
read or modify file or directory metadata on the symlink target.

The authenticated user must have permissions to read or modify the
metadata of the target of the symlink in order to perform the
operation outside of the share.

Filesystem metadata includes such attributes as timestamps, extended
attributes, permissions, and ownership.

This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.

==================
Patch Availability
==================

Prior to Samba 4.15.0 patches for this are not possible, due to the
prior design of the Samba VFS layer which used pathname-based calls
for most meta-data operations.

A two and a half year effort was undertaken to completely re-write the
Samba VFS layer to stop use of pathname-based calls in all cases
involving reading and writing of metadata returned to the client.
This work has finally been completed in Samba 4.15.0.

Pathname-based VFS calls are still used as an initial optimization to
determine if a client requested path exists, but when data is returned
to the client or written onto the underlying filesystem then the
target component is first opened as a file handle, going through
rigourous checking to ensure it is contained within the share
path. All meta-data is then refreshed from or written to the open
handle, not via pathname-based VFS calls.

As all operations are now done on an open handle we believe that any
further symlink race conditions have been completely eliminated in
Samba 4.15.0 and all future versions of Samba.

==================
CVSSv3.1 calculation
==================

CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N

base score of 5.9.

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.

=======
Credits
=======

Reported by Michael Hanselmann of Google.

The fix was a multi-year effort by Ralph Boehme of Sernet,
Jeremy Allison of Google and Noel Power of SuSE.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 9 Swamp Workflow Management 2022-02-01 20:23:26 UTC
openSUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
openSUSE Leap 15.3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, krb5-mini-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
Comment 10 Swamp Workflow Management 2022-02-01 20:42:41 UTC
SUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
SUSE Linux Enterprise Micro 5.1 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2022-02-03 20:18:21 UTC
SUSE-SU-2022:0323-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (critical)
Bug References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048
CVE References: CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apparmor-2.8.2-56.6.3, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9
SUSE Linux Enterprise Server 12-SP5 (src):    apparmor-2.8.2-56.6.3, ca-certificates-1_201403302107-15.3.3, gnutls-3.4.17-8.4.1, libnettle-3.1-21.3.2, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9, yast2-samba-client-3.1.23-3.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.4+git.324.8332acf1a63-3.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Marcus Meissner 2022-06-21 11:36:53 UTC
SUSE has fixed SUSE Linux Enterprise Server 15 SP3 and newer, and SUSE Linux Enterprise Server 12 SP5.

Older products / service packs will not be fixed, as this would require a very intrusive samba version update.