Security researchers discovered a year-old vulnerability in Samba software that could be exploited, under certain conditions, to bypass file-sharing permissions and access forbidden root shares paths.
“On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file.” reads the security advisory.
The flaw in Samba was introduced with the release of Samba 4.9.0 on September 13, 2018. In order to exploit the flaw it is necessary that the ‘wide links’ option in the Samba configuration file is turned on the target system. Other conditions that must be matched is to either allow insecure wide links or have the ‘unix extension‘ parameter set to ‘no.’
The vulnerability, tracked as CVE-2019-10197, stems from the failure to reset the cache that keeps track of successful directory changes.
“The problem is
In case of a failure in changing to a directory, it should reset the cache on failure recording the denied request. If this does not happen, the following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED.
The experts pointed out that the issue could allow access to the root directory of a different share the client accessed before or even the global root directory of the system.
The advisory highlights that the vulnerability does not affect the Unix permission checks in the kernel.
“The unix token (
The CVE-2019-10197 has been found by Stefan Metzmacher and the Samba Team, it has received a CVSS v3 score of 8.7.
In order to address the CVE-2019-10197 vulnerability,
Samba also provided the following mitigations in case it is not possible to apply the patches:
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.