Bug 1141267 - (CVE-2019-10197) VUL-0: CVE-2019-10197: samba: permissions check deny can allow user to escape from the share
VUL-0: CVE-2019-10197: samba: permissions check deny can allow user to escape...
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
Other Other
: P3 - Medium : Major
: ---
Assigned To: James McDonough
Security Team bot
Depends on:
  Show dependency treegraph
Reported: 2019-07-12 08:46 UTC by Marcus Meissner
Modified: 2020-09-17 19:14 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Alexandros Toptsoglou 2019-08-23 09:59:13 UTC
CRD: 2019-09-03
Comment 6 Marcus Meissner 2019-09-03 08:40:47 UTC
is public



== Subject:     Combination of parameters and permissions can allow user
==              to escape from the share path definition.
== CVE ID#:     CVE-2019-10197
== Versions:    All versions of Samba from 4.9.0 onwards.
== Summary:     Under certain parameter configurations, when an SMB
==              client accesses a network share and the user does not
==              have permission to access the share root directory,
==              it is possible for the user to escape from the share
==              to see the complete '/' filesystem. Unix permission
==              checks in the kernel are still enforced.


On a Samba SMB server for all versions of Samba from 4.9.0 clients are
able to escape outside the share root directory if certain
configuration parameters set in the smb.conf file.

The problem is reproducable if the 'wide links' option is explicitly
set to 'yes' and either 'unix extensions = no' or 'allow insecure wide
links = yes' is set in addition.

If a client has no permissions to enter the share root directory it
will get ACCESS_DENIED on the first request. However smbd has a cache
that remembers if it successfully changed to a directory. This cache
was not being reset on failure. The following SMB request will then
silently operate in the wrong directory instead of returning
ACCESS_DENIED. That directory is either the share root directory of a
different share the client was operating on successfully before or the
global root directory ('/') of the system.

The unix token (uid, gid, list of groups) is always correctly
impersonated before each operation, so the client is still restricted
by the unix permissions enfored by the kernel.

Patch Availability

A patch addressing this defect has been posted to:


Additionally, Samba 4.9.13, 4.10.8 and 4.11.0rc3 have been issued as
security releases to correct the defect. Patches against older Samba
versions may be available at https://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:H/RL:O/RC:C (8.7)


The following methods can be used as a mitigation (only one is

- Use the 'sharesec' tool to configure a security descriptor for the
  share that's at least as strict as the permissions on the share root

- Use the 'valid users' option to allow only users/groups which are
  able to enter the share root directory.

- Remove 'wide links = yes' if it's not really needed.

- In some situations it might be an option to use 'chmod a+x' on the
  share root directory, but you need to make sure that files and
  subdirectories are protected by stricter permissions. You may also
  want to 'chmod a-w' in order to prevent new top level files and
  directories, which may have less restrictive permissions.


This problem was found by Stefan Metzmacher of SerNet and the Samba

Patches provided by Ralph Böhme and Stefan Metzmacher of SerNet and
the Samba Team together with Jeremy Allison of Google and the Samba

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Comment 8 Swamp Workflow Management 2019-09-16 22:10:38 UTC
openSUSE-SU-2019:2142-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1141267,1144059
CVE References: CVE-2019-10197
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.187.71edee57d5a-lp151.2.6.1
Comment 9 Marcus Meissner 2020-02-05 07:52:59 UTC
Comment 11 Swamp Workflow Management 2020-09-17 19:14:24 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.