ALERT: The Forbidden Samba Shares exposed (CVE-2019-10197)

  • Post author:
  • Reading time:3 mins read

Samba Vulnerability
CVE-2019-10197


Samba is a file share server that is a re-implementation of the SMB protocol. Apart from being a server for sharing files and printers, Samba can also be used to access the file system on a Windows machine from a Unix machine. A vulnerability management system can prevent these attacks.

A security researcher, Stefan Metzmacher, and the Samba Team, discovered a critical vulnerability (CVE-2019-10197) in Samba that could allow an attacker to escape outside the share root directory. A good vulnerability management tool can resolve these issues.

The flaw is present in the smbd cache, which does not clear the cache after a failure of a user to access the restricted directories on the share. The server returns a token ‘ACCESS_DENIED‘ when an unauthenticated user tries to access the share root directories. Though the access is restricted on the first request, the smbd cache is not reset.  This allows an attacker who sends subsequent SMB requests to escape the share and access the global root directories or root directories of a different share the client was operating on successfully. In this scenario, the server does not restrict access again with the ‘ACCESS_DENIED’ token.

This flaw can exploit only when the ‘wide links’ option is  yes and either ‘unix extensions = no’ or ‘allow insecure wide links = yes.’ Samba mentions in its advisory that the Unix permission checks in the kernel are intact and not affect by this vulnerability.


Affected Products

Samba version 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3.


Impact:

An unauthenticated user can access restricted folders, such as the share root directory on a Samba share server.


Workaround for CVE-2019-10197:

According to the vendor, any one of the workarounds can  apply,

– Use the ‘sharesec’ tool to configure a security descriptor for the share that’s at least as strict as the permissions on the share root directory.

– Use the ‘valid users’ option to allow only users/groups which are able to enter the share root directory.

– Remove ‘wide links = yes’ if it is not really needed.

– In some situations it might be an option to use ‘chmod a+x’ on the share root directory, but you need to make sure that files and subdirectories are protected by stricter permissions. You may also want to ‘chmod a-w’ in order to prevent new top level files and directories, which may have less restrictive permissions.


Solution:

Please refer to this KB Article to apply the Samba patch using SanerNow.