Bug 1193690 - (CVE-2021-44141) VUL-0: CVE-2021-44141: samba: Information leak via symlinks of existance of files or directories outside of the exported share
(CVE-2021-44141)
VUL-0: CVE-2021-44141: samba: Information leak via symlinks of existance of f...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/317284/
CVSSv3.1:SUSE:CVE-2021-44141:5.0:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-12-13 15:56 UTC by Robert Frohl
Modified: 2022-05-16 16:45 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Thomas Leroy 2021-12-29 16:25:57 UTC
This commit [0] introduced a better way to spot the bug. I can't say if versions prior this commit are vulnerable, it is not very clear, but after this commit, the bug is easier to understand. 
This commit was introduced in samba v4.2.0, which makes *at least* the following codestreams vulnerable:
- SUSE:SLE-12-SP1:Update 	4.2.4-28.39.1	
- SUSE:SLE-12-SP2:Update	4.4.2-38.42.1	
- SUSE:SLE-12-SP3:Update 	4.6.16+git.282.cfafed5922a-3.61.1	
- SUSE:SLE-12-SP5:Update	4.10.18+git.279.5c5879d939f-3.33.1	
- SUSE:SLE-15:Update 	n/a	
- SUSE:SLE-15-SP1:Update 	4.9.5+git.296.3dd62eee45e-3.32.1	
- SUSE:SLE-15-SP2:Update 	4.11.13+git.189.e9bd318cd13-4.11.1	
- SUSE:SLE-15-SP2:Update:Products:SES7:Update	4.13.6+git.211.555d60b24ba-3.9.1
- openSUSE:Factory
- openSUSE:Leap:15.2:Update (EOL by the time of the CRD)

Remaining SUSE:SLE-11-SP1:Update and SUSE:SLE-11-SP3:Update for which the bug is not obvious to recognize.

[0] 5b49fe24c906cbae12beff7a1b45de6809258cab
Comment 11 Marcus Meissner 2022-01-31 13:07:01 UTC
is public

https://www.samba.org/samba/security/CVE-2021-44141.html


CVE-2021-44141.html:

===========================================================
== Subject:     Information leak via symlinks of existance of
==		files or directories outside of the exported
==		share.
==
== CVE ID#:     CVE-2021-44141
==
==
== Versions:    All versions of the Samba file server prior to
==              4.15.5.
==
== Summary:     A client can use a symlink to discover if a named
==              or directory exists on the filesystem outside of
==              the exported share. The user must have permissions
==		to query a symlink inside the exported share using
==		SMB1 with unix extensions turned on.
===========================================================

===========
Description
===========

All versions of Samba prior to 4.15.5 are vulnerable to a malicious
client using a server symlink to determine if a file or directory
exists in an area of the server file system not exported under the
share definition. SMB1 with unix extensions has to be enabled in order
for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or via NFS can create symlinks
that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to
determine if the target of the symlink exists or not by examining
error codes returned from the smbd server. There is no ability to
access these files or directories, only to determine if they exist or
not.

If SMB1 is turned off and only SMB2 is used, or unix extensions are
not enabled then there is no way to discover if a symlink points to a
valid target or not via SMB2. For this reason, even if symlinks are
created via NFS, if the Samba server does not allow SMB1 with unix
extensions there is no way to exploit this bug.

Finding out what files or directories exist on a file server can help
attackers guess system user names or the exact operating system
release and applications running on the server hosting Samba which may
help mount further attacks.

SMB1 has been disabled on Samba since version 4.11.0 and
onwards. Exploitation of this bug has not been seen in the wild.

==================
Patch Availability
==================

Patches addressing this issue has been posted to:

    https://www.samba.org/samba/security/

Samba version 4.15.5 has been issued as a security release to correct
the defect. Samba administrators are advised to upgrade to this
release as soon as possible. Due to the complexity of the fixes needed
for this problem, back ports to earlier Samba versions have not been
provided. For users of earlier Samba versions, please see the
"Workaround and mitigating factors" section of this document.

==================
CVSSv3.1 calculation
==================

CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:N/MA:N

base score of 4.2

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation or
querying of symbolic links via SMB1. If SMB1 must be enabled for
backwards compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating or reading symlinks on the
exported file system.

However, if the same region of the file system is also exported
allowing write access via NFS, NFS clients can create symlinks that
allow SMB1 with unix extensions clients to discover the existance of
the NFS created symlink targets.  For non-patched versions of Samba we
recommend only exporting areas of the file system by either SMB2 or
NFS, not both.

=======
Credits
=======

Reported by Stefan Behrens of 
Jeremy Allison of Google and the Samba Team provided the fix.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 13 Swamp Workflow Management 2022-02-01 20:23:42 UTC
openSUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
openSUSE Leap 15.3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, krb5-mini-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
Comment 14 Swamp Workflow Management 2022-02-01 20:42:56 UTC
SUSE-SU-2022:0283-1: An update that solves 8 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (important)
Bug References: 1139519,1183572,1183574,1188571,1191227,1191532,1192684,1193690,1194859,1195048
CVE References: CVE-2020-27840,CVE-2021-20277,CVE-2021-20316,CVE-2021-36222,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23329
Sources used:
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, samba-4.15.4+git.324.8332acf1a63-150300.3.25.3, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, talloc-man-2.3.3-150300.3.3.1, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2, tevent-man-0.11.0-150300.3.3.1
SUSE Linux Enterprise Micro 5.1 (src):    apparmor-2.13.6-150300.3.11.2, krb5-1.19.2-150300.8.3.2, ldb-2.4.1-150300.3.10.1, libapparmor-2.13.6-150300.3.11.1, sssd-1.16.1-150300.23.17.3, talloc-2.3.3-150300.3.3.2, tdb-1.4.4-150300.3.3.2, tevent-0.11.0-150300.3.3.2
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.4+git.324.8332acf1a63-150300.3.25.3

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2022-02-03 20:18:37 UTC
SUSE-SU-2022:0323-1: An update that solves 6 vulnerabilities, contains one feature and has 5 fixes is now available.

Category: security (critical)
Bug References: 1089938,1139519,1158916,1180064,1182058,1191227,1192684,1193533,1193690,1194859,1195048
CVE References: CVE-2020-29361,CVE-2021-20316,CVE-2021-43566,CVE-2021-44141,CVE-2021-44142,CVE-2022-0336
JIRA References: SLE-23330
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    apparmor-2.8.2-56.6.3, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9
SUSE Linux Enterprise Server 12-SP5 (src):    apparmor-2.8.2-56.6.3, ca-certificates-1_201403302107-15.3.3, gnutls-3.4.17-8.4.1, libnettle-3.1-21.3.2, p11-kit-0.23.2-8.3.2, samba-4.15.4+git.324.8332acf1a63-3.54.1, sssd-1.16.1-7.28.9, yast2-samba-client-3.1.23-3.3.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.4+git.324.8332acf1a63-3.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Marcus Meissner 2022-02-14 08:06:31 UTC
done