Bugzilla – Bug 1215907
VUL-0: CVE-2023-3961: samba: Unsanitized client pipe name passed to local_np_connect()
Last modified: 2023-11-13 14:40:09 UTC
https://www.samba.org/samba/security/CVE-2023-3961.html CVE-2023-3961.html: ============================================================ == Subject: smbd allows client access to unix domain sockets == on the file system. == == CVE ID#: CVE-2023-3961 == == Versions: All versions starting with 4.16.0 == == Summary: Unsanitized pipe names allow SMB clients to connect == as root to existing unix domain sockets on the == file system. ============================================================ =========== Description =========== The SMB 1/2/3 protocols allow clients to connect to named pipes via the IPC$ (Inter-Process Communication) share for the process of inter-process communication between SMB clients and servers. Since Samba 4.16.0, Samba internally connects client pipe names to unix domain sockets within a private directory, allowing clients to connect to services listening on those sockets. This is usually used to connect SMB clients to remote proceedure call (RPC) services, such as SAMR LSA, or SPOOLSS, which Samba starts on demand. However, insufficient sanitization was done on the incoming client pipe name, meaning that a client sending a pipe name containing unix directory traversal characters (../) could cause Samba to connect to unix domain sockets outside of the private directory meant to restrict the services a client could connect to. Samba connects to the unix domain sockets as root, meaning if a client could send a pipe name that resolved to an external service using an existing unix domain socket, the client would be able to connect to it without filesystem permissions restricting access. Depending on the service the client can connect to, the client may be able to trigger adverse events such as denial of service, crashing the service, or potentially compromising it. There are no current known exploits for this bug. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8) ========== Workaround ========== None. ======= Credits ======= Originally discovered by Jeremy Allison of the Samba team and CIQ. Inc. Patches provided by Jeremy Allison of the Samba team and CIQ. Inc. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
SUSE-SU-2023:4046-1: An update that solves five vulnerabilities can now be installed. Category: security (important) Bug References: 1215904, 1215905, 1215906, 1215907, 1215908 CVE References: CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, CVE-2023-42670 Sources used: openSUSE Leap 15.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 SUSE Linux Enterprise Micro 5.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 Basesystem Module 15-SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.