CVE-2015-7560
published 2016-03-13CVE-2015-7560: The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote…
PriorityP344medium6.5CVSS 3.1
AVNACLPRLUINSUCNIHAN
EPSS
12.94%
95.8th percentile
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| canonical | ubuntu_linux | — | — |
| debian | debian_linux | — | — |
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.3.6+dfsg-1 (bookworm) | samba 2:4.3.6+dfsg-1 (bookworm) |
| samba | samba | — | — |
| samba | samba | >= 0 < 2:4.3.6+dfsg-1 | 2:4.3.6+dfsg-1 |
| samba | samba | >= 0 < 2:4.3.6+dfsg-1 | 2:4.3.6+dfsg-1 |
| samba | samba | >= 0 < 2:4.3.6+dfsg-1 | 2:4.3.6+dfsg-1 |
| samba | samba | >= 0 < 2:4.3.6+dfsg-1 | 2:4.3.6+dfsg-1 |
| samba | samba | >= 0 < 2:4.1.6+dfsg-1ubuntu2.14.04.13 | 2:4.1.6+dfsg-1ubuntu2.14.04.13 |
| samba | samba | >= 3.2.0 < 4.1.23 | 4.1.23 |
| samba | samba | >= 4.2.0 < 4.2.9 | 4.2.9 |
| samba | samba | >= 4.3.0 < 4.3.6 | 4.3.6 |
CVSS provenance
nvdv3.16.5MEDIUMCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:P/A:N
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
vendor_ubuntu5.1MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
samba: Incorrect ACL get/set allowed on symlink path
vendor_redhat·2016-03-08·CVSS 6.5
CVE-2015-7560 [MEDIUM] CWE-284 samba: Incorrect ACL get/set allowed on symlink path
samba: Incorrect ACL get/set allowed on symlink path
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
A flaw was found in the way Samba handled ACLs on symbolic links. An authenticated user could use this flaw to gain access to an arbitrary file or directory by overwriting its ACL.
Package: samba (Red Hat Enterprise Linux 5) - Not affected
Package: samba3x (Red Hat Enterprise Linux 5) - Will not fix
Ubuntu
Samba vulnerabilities
vendor_ubuntu·2016-03-08·CVSS 5.1
CVE-2013-0213 [MEDIUM] Samba vulnerabilities
Title: Samba vulnerabilities
Summary: Several security issues were fixed in Samba.
Jeremy Allison discovered that Samba incorrectly handled ACLs on symlink
paths. A remote attacker could use this issue to overwrite the ownership of
ACLs using symlinks. (CVE-2015-7560)
Garming Sam and Douglas Bagnall discovered that the Samba internal DNS
server incorrectly handled certain DNS TXT records. A remote attacker could
use this issue to cause Samba to crash, resulting in a denial of service,
or possibly obtain uninitialized memory contents. This issue only applied
to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0771)
It was discovered that the Samba Web Administration Tool (SWAT) was
vulnerable to clickjacking and cross-site request forgery attacks. This
issue only affected Ubuntu 12.04 LTS.
Debian
CVE-2015-7560: samba - The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before...
vendor_debian·2015·CVSS 6.5
CVE-2015-7560 [MEDIUM] CVE-2015-7560: samba - The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before...
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
Scope: local
bookworm: resolved (fixed in 2:4.3.6+dfsg-1)
bullseye: resolved (fixed in 2:4.3.6+dfsg-1)
forky: resolved (fixed in 2:4.3.6+dfsg-1)
sid: resolved (fixed in 2:4.3.6+dfsg-1)
trixie: resolved (fixed in 2:4.3.6+dfsg-1)
GHSA
GHSA-8wq4-qh3h-2hhh: The SMB1 implementation in smbd in Samba 3
ghsa_unreviewed·2022-05-17
CVE-2015-7560 [MEDIUM] CWE-284 GHSA-8wq4-qh3h-2hhh: The SMB1 implementation in smbd in Samba 3
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
OSV
CVE-2015-7560: The SMB1 implementation in smbd in Samba 3
osv·2016-03-13·CVSS 6.5
CVE-2015-7560 [MEDIUM] CVE-2015-7560: The SMB1 implementation in smbd in Samba 3
The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content.
OSV
samba vulnerabilities
osv·2016-03-08·CVSS 5.1
CVE-2015-7560 [MEDIUM] samba vulnerabilities
samba vulnerabilities
Jeremy Allison discovered that Samba incorrectly handled ACLs on symlink
paths. A remote attacker could use this issue to overwrite the ownership of
ACLs using symlinks. (CVE-2015-7560)
Garming Sam and Douglas Bagnall discovered that the Samba internal DNS
server incorrectly handled certain DNS TXT records. A remote attacker could
use this issue to cause Samba to crash, resulting in a denial of service,
or possibly obtain uninitialized memory contents. This issue only applied
to Ubuntu 14.04 LTS and Ubuntu 15.10. (CVE-2016-0771)
It was discovered that the Samba Web Administration Tool (SWAT) was
vulnerable to clickjacking and cross-site request forgery attacks. This
issue only affected Ubuntu 12.04 LTS. (CVE-2013-0213, CVE-2013-0214)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path [fedora-all]
bugzilla·2016-03-09·CVSS 6.5
CVE-2015-7560 [MEDIUM] CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path [fedora-all]
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions o
Bugzilla
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
bugzilla·2016-02-19·CVSS 6.5
CVE-2015-7560 [MEDIUM] CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
CVE-2015-7560 samba: Incorrect ACL get/set allowed on symlink path
As per upstream security advisory:
All versions of Samba from 3.2.0 to 4.3.3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.
An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.
Discussion:
Workaround
Add the parameter:
unix extensions = no
to the [global] section of your smb.conf and restart smbd.
Alternatively, prohibit the use of SMB1 by setting the parameter:
server min protocol = SMB2
to the [global] section of your smb.conf and restart smbd.
---
Created samba tracking bugs for this issue:
Affects: f
http://lists.fedoraproject.org/pipermail/package-announce/2016-March/178730.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/178764.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/180000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00063.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00064.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00065.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00081.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00090.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00092.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.htmlhttp://www.debian.org/security/2016/dsa-3514http://www.securityfocus.com/bid/84267http://www.securitytracker.com/id/1035220http://www.ubuntu.com/usn/USN-2922-1https://bugzilla.samba.org/show_bug.cgi?id=11648https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05121842https://www.samba.org/samba/security/CVE-2015-7560.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/178730.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/178764.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2016-March/180000.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00063.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00064.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00065.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00081.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00090.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-03/msg00092.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00042.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.htmlhttp://lists.opensuse.org/opensuse-security-announce/2016-04/msg00048.htmlhttp://www.debian.org/security/2016/dsa-3514http://www.securityfocus.com/bid/84267http://www.securitytracker.com/id/1035220http://www.ubuntu.com/usn/USN-2922-1https://bugzilla.samba.org/show_bug.cgi?id=11648https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05121842https://www.samba.org/samba/security/CVE-2015-7560.html
2016-03-13
Published