A recently discovered vulnerability (CVE-2023-4091) in the widely used Samba software poses a significant security risk for users who utilize the "acl_xattr" VFS module with the "acl_xattr:ignore system acls = yes" configuration. This flaw allows SMB clients to truncate files, even when they only have read-only permissions. The problem lies in how Samba handles permissions in certain configurations that bypass the kernel file system permission checks and rely solely on Samba's internal permissions.

How the Vulnerability Works

The SMB protocol allows files to be opened by clients when read-only access is requested. However, if the client then issues an additional OVERWRITE create disposition request, the opened file is implicitly truncated down to bytes. In configurations where the kernel file system permission checks are bypassed, users can exploit this vulnerability to modify files they should only have read-only access to.

The issue arises with the Samba VFS module "acl_xattr" when it is configured with the "acl_xattr:ignore system acls = yes" option. This specific configuration leads to inadequate permission checks and thus exposes the vulnerability in the affected Samba installations.

Code Snippet

Here is a small code snippet that demonstrates the vulnerability, highlighting how an SMB client can exploit this flaw and truncate a file:

import smbclient

smb = smbclient.SambaClient(
    server='192.168.1.100',
    username='user_with_read_only_permission',
    password='user_password',
)
    
# Opening the file with read-only access
file_handle = smb.open('shared_folder_name/filename.txt', 'r')

# Truncating the file using the OVERWRITE create disposition
smb.truncate('shared_folder_name/filename.txt', )

# Closing the file
file_handle.close()

# The file has now been truncated despite having read-only permissions

Original References

1. Official Samba Mailing List: CVE-2023-4091
2. Samba Bugzilla: 13115

Workarounds and Solutions

The Samba team has released a patch addressing this vulnerability, and users should consider upgrading to the latest Samba version, which includes the fix for CVE-2023-4091. Alternatively, users can update their configurations to not include the "acl_xattr:ignore system acls = yes" option, ensuring proper permission checks are in place.

Conclusion

SMB users must be aware of the CVE-2023-4091 vulnerability found in Samba's "acl_xattr" module. This flaw allows unauthorized file truncation for users with read-only access, posing a severe security risk for those who have not yet applied the security patch or adjusted their configurations. Stay up-to-date with your Samba installations and ensure you are practicing secure configurations to avoid unwanted file access and modifications.

Timeline

Published on: 11/03/2023 08:15:08 UTC
Last modified on: 11/13/2023 17:52:24 UTC