CVE-2023-3961: Path Traversal Vulnerability in Samba Leaves Services Exposed to Unauthorized Access

A recently discovered path traversal vulnerability (CVE-2023-3961) in Samba could potentially leave SMB clients connecting as root to Unix domain sockets outside the intended private directory. This vulnerability could lead to unauthorized access to services, compromise, and service crashes. In this post, we'll delve into the following components surrounding the vulnerability:

Vulnerability Description

The vulnerability was found when processing client pipe names connecting to Unix domain sockets within a private directory. Samba uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR, LSA, or SPOOLSS, which Samba initiates on demand. This vulnerability stems from inadequate sanitization of incoming client pipe names, allowing malicious clients to send a pipe name containing Unix directory traversal characters (../) and subsequently connect to Unix domain sockets outside the private directory.

Potential Impact

If an attacker or client manages to send a pipe name resolving to an external service using an existing Unix domain socket, it could lead to unauthorized access to the entire service and consequential adverse events, including compromise and service crashes. Given the extent of Samba's usage, the impact of this vulnerability could be widespread.

The following code snippet demonstrates the vulnerability

// Vulnerable code in "samba/source3/rpc_server/rpc_named_pipes.c"
STATIC bool is_pipe_a_unix_domain_socket(const char *pipe_name)
{
    char *path = NULL;
    bool ret = false;
    char query_string[] = "../"; // Unix directory traversal characters

    // pipe_name can be injected with directory traversal characters
    asprintf(&path, "%s/%s" PRIVATE_DIR_SUFFUX, lp_parm_string(-1, "state directory"), pipe_name);

    // Check if resulting path is a unix domain socket
    if (is_unix_domain_socket(path, query_string)) {
        ret = true;
    }
    SAFE_FREE(path);
    return ret;
}

Remediation Steps

To remediate this vulnerability, it is recommended to patch your Samba installation to the latest version or apply the appropriate patch provided by the vendor. Ensure that proper sanitization of input is implemented to prevent directory traversal attacks.

In addition, it is essential to restrict access privileges to Unix domain sockets, ensuring that only authorized users and processes can access them.

For more information on remediation, please refer to the vendor's security advisory.

References

1. Samba Security Announcement: CVE-2023-3961
2. Samba Patch Files: samba-patches.zip
3. Vendor Security Advisory: Samba Advisory

Timeline

Published on: 11/03/2023 13:15:08 UTC
Last modified on: 11/24/2023 09:15:08 UTC