Security researchers discovered a year-old vulnerability in Samba software that could be exploited, under certain conditions, to bypass file-sharing permissions and access forbidden root shares paths.
“On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file.” reads the security advisory.
The flaw in Samba was introduced with the release of Samba 4.9.0 on September 13, 2018. In order to exploit the flaw it is necessary that the ‘wide links’ option in the Samba configuration file is turned on the target system. Other conditions that must be matched is to either allow insecure wide links or have the ‘unix extension‘ parameter set to ‘no.’
The vulnerability, tracked as CVE-2019-10197, stems from the failure to reset the cache that keeps track of successful directory changes.
“The problem is
In case of a failure in changing to a directory, it should reset the cache on failure recording the denied request. If this does not happen, the following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED.
The experts pointed out that the issue could allow access to the root directory of a different share the client accessed before or even the global root directory of the system.
The advisory highlights that the vulnerability does not affect the Unix permission checks in the kernel.
“The unix token (
The CVE-2019-10197 has been found by Stefan Metzmacher and the Samba Team, it has received a CVSS v3 score of 8.7.
In order to address the CVE-2019-10197 vulnerability,
Samba also provided the following mitigations in case it is not possible to apply the patches: