CVE-2015-5252
published 2015-12-29CVE-2015-5252: vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist…
PriorityP351high7.2CVSS 3.1
AVNACLPRNUINSCCLILAN
EPSS
13.27%
95.9th percentile
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.1.22+dfsg-1 (bookworm) | samba 2:4.1.22+dfsg-1 (bookworm) |
| samba | samba | >= 0 < 2:4.1.22+dfsg-1 | 2:4.1.22+dfsg-1 |
| samba | samba | >= 0 < 2:4.1.22+dfsg-1 | 2:4.1.22+dfsg-1 |
| samba | samba | >= 0 < 2:4.1.22+dfsg-1 | 2:4.1.22+dfsg-1 |
| samba | samba | >= 0 < 2:4.1.22+dfsg-1 | 2:4.1.22+dfsg-1 |
| samba | samba | >= 0 < 2:4.1.6+dfsg-1ubuntu2.14.04.11 | 2:4.1.6+dfsg-1ubuntu2.14.04.11 |
| samba | samba | >= 0 < 2:4.1.6+dfsg-1ubuntu2.14.04.12 | 2:4.1.6+dfsg-1ubuntu2.14.04.12 |
| samba | samba | >= 3.0.0 < 4.1.22 | 4.1.22 |
| samba | samba | >= 4.2.0 < 4.2.7 | 4.2.7 |
| samba | samba | >= 4.3.0 < 4.3.3 | 4.3.3 |
CVSS provenance
nvdv3.17.2HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
osv7.2HIGH
vendor_debian7.2HIGH
vendor_redhat7.2HIGH
vendor_ubuntu5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Samba regression
vendor_ubuntu·2016-02-16·CVSS 5.3
CVE-2015-5252 [MEDIUM] Samba regression
Title: Samba regression
Summary: USN-2855-1 introduced a regression in Samba.
USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for
CVE-2015-5252 introduced a regression in certain specific environments.
This update fixes the problem.
Original advisory details:
Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled
certain packets. A remote attacker could use this issue to cause the LDAP
server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-3223)
Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A
remote attacker could use this issue to access files outside the exported
share path. (CVE-2015-5252)
Stefan Metzmacher discovered that Samba did
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2016-01-05·CVSS 5.3
CVE-2015-3223 [MEDIUM] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled
certain packets. A remote attacker could use this issue to cause the LDAP
server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-3223)
Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A
remote attacker could use this issue to access files outside the exported
share path. (CVE-2015-5252)
Stefan Metzmacher discovered that Samba did not enforce signing when
creating encrypted connections. If a remote attacker were able to perform a
machine-in-the-middle attack, this flaw could be exploited to view sensitive
information.
Red Hat
samba: Insufficient symlink verification in smbd
vendor_redhat·2015-12-16·CVSS 7.2
CVE-2015-5252 [HIGH] CWE-41 samba: Insufficient symlink verification in smbd
samba: Insufficient symlink verification in smbd
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
An access flaw was found in the way Samba verified symbolic links when creating new files on a Samba share. A remote attacker could exploit this flaw to gain access to files outside of Samba's share path.
Package: samba (Red Hat Enterprise Linux 5) - Will not fix
Package: samba3x (Red Hat Enterprise Linux 5) - Will not fix
Debian
CVE-2015-5252: samba - vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x ...
vendor_debian·2015·CVSS 7.2
CVE-2015-5252 [HIGH] CVE-2015-5252: samba - vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x ...
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
Scope: local
bookworm: resolved (fixed in 2:4.1.22+dfsg-1)
bullseye: resolved (fixed in 2:4.1.22+dfsg-1)
forky: resolved (fixed in 2:4.1.22+dfsg-1)
sid: resolved (fixed in 2:4.1.22+dfsg-1)
trixie: resolved (fixed in 2:4.1.22+dfsg-1)
GHSA
GHSA-v8hr-9qpr-jrwc: vfs
ghsa_unreviewed·2022-05-17
CVE-2015-5252 [HIGH] GHSA-v8hr-9qpr-jrwc: vfs
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
OSV
samba regression
osv·2016-02-16·CVSS 5.3
CVE-2015-5252 [MEDIUM] samba regression
samba regression
USN-2855-1 fixed vulnerabilities in Samba. The upstream fix for
CVE-2015-5252 introduced a regression in certain specific environments.
This update fixes the problem.
Original advisory details:
Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled
certain packets. A remote attacker could use this issue to cause the LDAP
server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-3223)
Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A
remote attacker could use this issue to access files outside the exported
share path. (CVE-2015-5252)
Stefan Metzmacher discovered that Samba did not enforce signing when
creating encrypted connections. If a
OSV
samba vulnerabilities
osv·2016-01-05·CVSS 5.3
CVE-2015-3223 [MEDIUM] samba vulnerabilities
samba vulnerabilities
Thilo Uttendorfer discovered that the Samba LDAP server incorrectly handled
certain packets. A remote attacker could use this issue to cause the LDAP
server to stop responding, resulting in a denial of service. This issue
only affected Ubuntu 14.04 LTS, Ubuntu 15.04 and Ubuntu 15.10.
(CVE-2015-3223)
Jan Kasprzak discovered that Samba incorrectly handled certain symlinks. A
remote attacker could use this issue to access files outside the exported
share path. (CVE-2015-5252)
Stefan Metzmacher discovered that Samba did not enforce signing when
creating encrypted connections. If a remote attacker were able to perform a
machine-in-the-middle attack, this flaw could be exploited to view sensitive
information. (CVE-2015-5296)
It was discovered that Samba incorrectly perf
OSV
CVE-2015-5252: vfs
osv·2015-12-29·CVSS 7.2
CVE-2015-5252 [HIGH] CVE-2015-5252: vfs
vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-5299 CVE-2015-7540 CVE-2015-3223 CVE-2015-5252 CVE-2015-5296 samba: various flaws [fedora-all]
bugzilla·2015-12-16·CVSS 5.3
CVE-2015-5299 [MEDIUM] CVE-2015-5299 CVE-2015-7540 CVE-2015-3223 CVE-2015-5252 CVE-2015-5296 samba: various flaws [fedora-all]
CVE-2015-5299 CVE-2015-7540 CVE-2015-3223 CVE-2015-5252 CVE-2015-5296 samba: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multi
Bugzilla
CVE-2015-5252 samba: Insufficient symlink verification in smbd
bugzilla·2015-12-10·CVSS 7.2
CVE-2015-5252 [HIGH] CVE-2015-5252 samba: Insufficient symlink verification in smbd
CVE-2015-5252 samba: Insufficient symlink verification in smbd
As per samba upstream advisory:
All versions of Samba from 3.0.0 to 4.3.2 inclusive are vulnerable to a bug in symlink verification, which under certain circumstances could allow client access to files outside the exported share path.
If a Samba share is configured with a path that shares a common path prefix with another directory on the file system, the smbd daemon may allow the client to follow a symlink pointing to a file or directory in that other directory, even if the share parameter "wide links" is
set to "no" (the default).
For example. Given two directories on the file system:
/share/
/share1/
If a Samba share is created as follows:
[sharename]
path = /share
wide links = no
Then a symlink with the path
/sha
http://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174391.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00046.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.htmlhttp://www.debian.org/security/2016/dsa-3433http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/79733http://www.securitytracker.com/id/1034493http://www.ubuntu.com/usn/USN-2855-1http://www.ubuntu.com/usn/USN-2855-2https://bugzilla.redhat.com/show_bug.cgi?id=1290288https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=4278ef25f64d5fdbf432ff1534e275416ec9561ehttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05115993https://security.gentoo.org/glsa/201612-47https://www.samba.org/samba/security/CVE-2015-5252.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174076.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-December/174391.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00019.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00020.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00032.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-12/msg00033.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00002.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-01/msg00017.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00046.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.htmlhttp://www.debian.org/security/2016/dsa-3433http://www.oracle.com/technetwork/topics/security/bulletinjan2016-2867206.htmlhttp://www.oracle.com/technetwork/topics/security/linuxbulletinjan2016-2867209.htmlhttp://www.securityfocus.com/bid/79733http://www.securitytracker.com/id/1034493http://www.ubuntu.com/usn/USN-2855-1http://www.ubuntu.com/usn/USN-2855-2https://bugzilla.redhat.com/show_bug.cgi?id=1290288https://git.samba.org/?p=samba.git%3Ba=commit%3Bh=4278ef25f64d5fdbf432ff1534e275416ec9561ehttps://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05115993https://security.gentoo.org/glsa/201612-47https://www.samba.org/samba/security/CVE-2015-5252.html
2015-12-29
Published