Bugzilla – Bug 1215904
VUL-0: CVE-2023-4091: samba: Client can truncate file with read-only permissions
Last modified: 2023-11-13 14:40:03 UTC
https://www.samba.org/samba/security/CVE-2023-4091.html CVE-2023-4091.html: =========================================================== == Subject: SMB clients can truncate files with == read-only permissions == == CVE ID#: CVE-2023-4091 == == Versions: All Samba versions == == Summary: SMB client can truncate files to 0 bytes == by opening files with OVERWRITE disposition == when using the acl_xattr Samba VFS module == with the smb.conf setting == "acl_xattr:ignore system acls = yes" =========================================================== =========== Description =========== The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation requires write access to the file, and in the default Samba configuration the operating system kernel will deny access to open a read-only file for read/write (which the truncate operation requires). However, when Samba has been configured to ignore kernel file system permissions, Samba will truncate a file when the underlying operating system kernel would deny the operation. Affected Samba configurations are the ones where kernel file-system permission checks are bypassed, relying on Samba's own permission enforcement. The error is that this check is done against the client request for read-only access, and not the implicitly requested read-write (for truncate) one. The widely used Samba VFS module "acl_xattr" when configured with the module configuration parameter "acl_xattr:ignore system acls = yes" is the only upstream Samba module that allows this behavior and is the only known method of reproducing this security flaw. If (as is the default) the module configuration parameter "acl_xattr:ignore system acls=no", then the Samba server is not vulnerable to this attack. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba versions 4.19.1, 4.18.8 and 4.17.12 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N (6.5) ========== Workaround ========== None. ======= Credits ======= Originally reported by Sri Nagasubramanian <snagasubramanian@nasuni.com> from Nasuni. Patches provided by Ralph Böhme of SerNet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
SUSE-SU-2023:4040-1: An update that solves one vulnerability can now be installed. Category: security (moderate) Bug References: 1215904 CVE References: CVE-2023-4091 Sources used: SUSE Linux Enterprise Software Development Kit 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1 SUSE Linux Enterprise Server 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1 SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1 SUSE Linux Enterprise High Availability Extension 12 SP5 (src): samba-4.15.13+git.625.ac658f2f12-3.88.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4046-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1215904, 1215905, 1215906, 1215907, 1215908 CVE References: CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, CVE-2023-42670 Sources used: openSUSE Leap 15.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 SUSE Linux Enterprise Micro 5.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 Basesystem Module 15-SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4059-1: An update that solves three vulnerabilities and has one security fix can now be installed. Category: security (important) Bug References: 1213940, 1215904, 1215905, 1215908 CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 Sources used: openSUSE Leap 15.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 SUSE Linux Enterprise Micro 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 Basesystem Module 15-SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:4096-1: An update that solves three vulnerabilities can now be installed. Category: security (important) Bug References: 1215904, 1215905, 1215908 CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669 Sources used: SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Manager Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.