ALERT: The Forbidden Samba Shares exposed (CVE-2019-10197)

Samba is a file share server that is a re-implementation of the SMB protocol. Apart from being a server for sharing files and printers, Samba can also be used to access the file system on a Windows machine from a Unix machine. A vulnerability management system can prevent these attacks.

A security researcher, Stefan Metzmacher, and the Samba Team, discovered a critical vulnerability (CVE-2019-10197) in Samba that could allow an attacker to escape outside the share root directory. A good vulnerability management tool can resolve these issues.

The flaw is present in the smbd cache, which does not clear the cache after a failure of a user to access the restricted directories on the share. The server returns a token ‘ACCESS_DENIED‘ when an unauthenticated user tries to access the share root directories. Though the access is restricted on the first request, the smbd cache is not reset.  This allows an attacker who sends subsequent SMB requests to escape the share and access the global root directories or root directories of a different share the client was operating on successfully. In this scenario, the server does not restrict access again with the ‘ACCESS_DENIED’ token.

This flaw can exploit only when the ‘wide links’ option is  yes and either ‘unix extensions = no’ or ‘allow insecure wide links = yes.’ Samba mentions in its advisory that the Unix permission checks in the kernel are intact and not affect by this vulnerability.

Samba version 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3.

An unauthenticated user can access restricted folders, such as the share root directory on a Samba share server.

According to the vendor, any one of the workarounds can  apply,

Please refer to this KB Article to apply the Samba patch using SanerNow.