Samba has released fixes for two security vulnerabilities that impact Samba products. A remote attacker could take advantage of these bugs and exploit unpatched systems.
The first vulnerability CVE-2019-3870 affects Samba Active Directory (AD) Domain Controller (DC) and Samba 4.9 and later versions.
Samba said that when a new Samba AD DC is created, some of the new files are then created in a private/ subdirectory with world-writable file permissions (i.e., “mode 0666”). Example files include krb5.conf, the list of DNS names and servicePrincipalName values to update.
Samba also said that the default install directory should typically be set with only the owner (i.e., “root”) has access to files. They further added that upgraded versions of Samba will have other permissions (e.g., “0755”), the default before Samba 4.8.
Admins should apply patches as soon as possible to correct permissions issue for future installations.
For existing installations, Samba further advises system admins to change the permissions by running “chmod 0700 /usr/local/samba/private“. Admins can also remove world-wide permissions on existing files by running the following command: “chmod o-w /usr/local/samba/private/*“.
The second Samba vulnerability CVE-2019-3880 impacts all versions of Samba since Samba 3.2.0 and relates to an issue where authenticated users with write permissions could trigger a symlink traversal to write or detect files outside the Samba share.
An excerpt of the Samba symlink traversal vulnerability from the security advisory:
“Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, ‘winreg_SaveKey’, is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition.”
Both of the Samba vulnerabilities are rated just over 6 CVSS 3.0 base score (10 being the highest possible).