Samba is a file share server which is a re-implementation of the SMB protocol. Apart from being a server for sharing files and printers, Samba can also be used to access the file system on a Windows machine from a Unix machine.
A security researcher, Stefan Metzmacher together with the Samba Team discovered a critical vulnerability (CVE-2019-10197) in Samba which could allow an attacker to escape outside the share root directory.
The flaw is present in the smbd cache which does not clear the cache after a failure of a user to access the restricted directories on the share. The server returns a token ‘ACCESS_DENIED‘ when an unauthenticated user tries to access the share root directories. Though the access is restricted on the first request, the smbd cache is not reset. This allows an attacker who sends subsequent SMB requests to escape the share and access the global root directories or root directories of a different share that the client was previously operating on successfully. In this scenario, the server does not restrict the access again with ‘ACCESS_DENIED’ token.
This flaw can be exploited only when ‘wide links’ option is set to yes and either ‘unix extensions = no’ or ‘allow insecure wide links = yes’. Samba has mentioned in its advisory that the Unix permission checks in the kernel are intact and are not affected by this vulnerability.
Samba version 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3.
An unauthenticated user can access restricted folders such as the share root directory on a samba share server.
According to the vendor, any one of the workarounds can be applied,
– Use the ‘sharesec’ tool to configure a security descriptor for the share that’s at least as strict as the permissions on the share root directory.
– Use the ‘valid users’ option to allow only users/groups which are able to enter the share root directory.
– Remove ‘wide links = yes’ if it is not really needed.
– In some situations it might be an option to use ‘chmod a+x’ on the share root directory, but you need to make sure that files and subdirectories are protected by stricter permissions. You may also want to ‘chmod a-w’ in order to prevent new top level files and directories, which may have less restrictive permissions.