cbcvebase.
CVE-2017-2619
published 2018-03-12

CVE-2017-2619: Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not…

PriorityP262high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
11.18%
95.4th percentile
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.

Affected

14 ranges
VendorProductVersion rangeFixed in
debiandebian_linux
debiansamba< samba 2:4.5.6+dfsg-2 (bookworm)samba 2:4.5.6+dfsg-2 (bookworm)
redhatenterprise_linux
redhatenterprise_linux
sambasamba< 4.4.124.4.12
sambasamba
sambasamba
sambasamba
sambasamba>= 0 < 2:4.5.6+dfsg-22:4.5.6+dfsg-2
sambasamba>= 0 < 2:4.5.6+dfsg-22:4.5.6+dfsg-2
sambasamba>= 0 < 2:4.5.6+dfsg-22:4.5.6+dfsg-2
sambasamba>= 0 < 2:4.5.6+dfsg-22:4.5.6+dfsg-2
sambasamba>= 4.5.0 < 4.5.74.5.7
sambasamba>= 4.6.0 < 4.6.14.6.1

Detection & IOCsextracted from sources · hover to see the quote

commandsymlink / link
commandrename_loop link normal foobar
commanddump foobar/secret
urlhttps://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41740.zip
  • Monitor smbd for rapid rename operations on a path component that was previously validated by lstat(), particularly a rename that replaces a directory with a symlink immediately before open() is called.
  • Alert on SMB clients creating symlinks pointing to '/' or other absolute paths outside the share root via SMB1 POSIX unix extensions.
  • Detect concurrent dual SMB sessions from the same client where one session performs rapid renames and the other performs file reads — characteristic of the two-connection race exploitation pattern.
  • ·Adding 'unix extensions = no' to the [global] section of smb.conf and restarting smbd mitigates the SMB1 attack vector, but does NOT protect against NFS clients creating symlinks on the same exported filesystem.
  • ·The race is difficult to win under normal conditions but becomes reliably exploitable when the server is slowed (e.g., by running strace against smbd); exploitation in the wild has not been observed.

CVSS provenance

nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.