CVE-2017-2619
published 2018-03-12CVE-2017-2619: Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not…
PriorityP262high7.5CVSS 3.1
AVNACHPRLUINSUCHIHAH
EXPLOIT
EPSS
11.18%
95.4th percentile
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
Affected
14 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | samba | < samba 2:4.5.6+dfsg-2 (bookworm) | samba 2:4.5.6+dfsg-2 (bookworm) |
| redhat | enterprise_linux | — | — |
| redhat | enterprise_linux | — | — |
| samba | samba | < 4.4.12 | 4.4.12 |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | — | — |
| samba | samba | >= 0 < 2:4.5.6+dfsg-2 | 2:4.5.6+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.6+dfsg-2 | 2:4.5.6+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.6+dfsg-2 | 2:4.5.6+dfsg-2 |
| samba | samba | >= 0 < 2:4.5.6+dfsg-2 | 2:4.5.6+dfsg-2 |
| samba | samba | >= 4.5.0 < 4.5.7 | 4.5.7 |
| samba | samba | >= 4.6.0 < 4.6.1 | 4.6.1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor smbd for rapid rename operations on a path component that was previously validated by lstat(), particularly a rename that replaces a directory with a symlink immediately before open() is called. ↗
- →Alert on SMB clients creating symlinks pointing to '/' or other absolute paths outside the share root via SMB1 POSIX unix extensions. ↗
- →Detect concurrent dual SMB sessions from the same client where one session performs rapid renames and the other performs file reads — characteristic of the two-connection race exploitation pattern. ↗
- ·Adding 'unix extensions = no' to the [global] section of smb.conf and restarting smbd mitigates the SMB1 attack vector, but does NOT protect against NFS clients creating symlinks on the same exported filesystem. ↗
- ·The race is difficult to win under normal conditions but becomes reliably exploitable when the server is slowed (e.g., by running strace against smbd); exploitation in the wild has not been observed. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.0MEDIUMAV:N/AC:M/Au:S/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-gpq8-xrm8-w2qr: Samba before versions 4
ghsa_unreviewed·2022-05-13
CVE-2017-2619 [HIGH] CWE-362 GHSA-gpq8-xrm8-w2qr: Samba before versions 4
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
OSV
CVE-2017-2619: Samba before versions 4
osv·2018-03-12·CVSS 7.5
CVE-2017-2619 [HIGH] CVE-2017-2619: Samba before versions 4
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
Ubuntu
Samba vulnerability
vendor_ubuntu·2017-04-25
CVE-2017-2619 Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to expose sensitive information over the network.
Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.
Instructions: This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.
Ubuntu
Samba vulnerability
vendor_ubuntu·2017-03-23
CVE-2017-2619 Samba vulnerability
Title: Samba vulnerability
Summary: Samba could be made to expose sensitive information over the network.
Jann Horn discovered that Samba incorrectly handled symlinks. An
authenticated remote attacker could use this issue to access files on the
server outside of the exported directories.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
samba: symlink race permits opening files outside share directory
vendor_redhat·2017-03-23·CVSS 7.5
CVE-2017-2619 [HIGH] CWE-362 samba: symlink race permits opening files outside share directory
samba: symlink race permits opening files outside share directory
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories in areas of the server file system not exported under the share definitions.
Mitigation: Add the parameter:
unix extensions = no
to the [global] section of your smb.conf and restart smbd. This prevents SMB1 clients from creating symlinks on the exported file system using SMB1.
However, if the same region of the file system is also exported using NFS, NFS clients can create symlinks that potentially can also hit
Debian
CVE-2017-2619: samba - Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious clie...
vendor_debian·2017·CVSS 7.5
CVE-2017-2619 [HIGH] CVE-2017-2619: samba - Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious clie...
Samba before versions 4.6.1, 4.5.7 and 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
Scope: local
bookworm: resolved (fixed in 2:4.5.6+dfsg-2)
bullseye: resolved (fixed in 2:4.5.6+dfsg-2)
forky: resolved (fixed in 2:4.5.6+dfsg-2)
sid: resolved (fixed in 2:4.5.6+dfsg-2)
trixie: resolved (fixed in 2:4.5.6+dfsg-2)
No detection rules found.
Bugzilla
CVE-2017-2619 samba: symlink race permits opening files outside share directory [fedora-all]
bugzilla·2017-03-23·CVSS 7.5
CVE-2017-2619 [HIGH] CVE-2017-2619 samba: symlink race permits opening files outside share directory [fedora-all]
CVE-2017-2619 samba: symlink race permits opening files outside share directory [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple support
Bugzilla
CVE-2017-2619 samba: symlink race permits opening files outside share directory
bugzilla·2017-03-06·CVSS 7.5
CVE-2017-2619 [HIGH] CVE-2017-2619 samba: symlink race permits opening files outside share directory
CVE-2017-2619 samba: symlink race permits opening files outside share directory
As per upstream advisory:
All versions of Samba prior to 4.6.1, 4.5.7, 4.4.11 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition.
Samba uses the realpath() system call to ensure when a client requests access to a pathname that it is under the exported share path on the server file system.
Clients that have write access to the exported part of the file system via SMB1 unix extensions or NFS to create symlinks can race the server by renaming a realpath() checked path and then creating a symlink. If the client wins the race it can cause the server to access the new symlink target after the exported share path che
http://www.securityfocus.com/bid/97033http://www.securitytracker.com/id/1038117https://access.redhat.com/errata/RHSA-2017:1265https://access.redhat.com/errata/RHSA-2017:2338https://access.redhat.com/errata/RHSA-2017:2778https://access.redhat.com/errata/RHSA-2017:2789https://bugzilla.redhat.com/show_bug.cgi?id=1429472https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03755en_ushttps://www.debian.org/security/2017/dsa-3816https://www.exploit-db.com/exploits/41740/https://www.samba.org/samba/security/CVE-2017-2619.htmlhttp://www.securityfocus.com/bid/97033http://www.securitytracker.com/id/1038117https://access.redhat.com/errata/RHSA-2017:1265https://access.redhat.com/errata/RHSA-2017:2338https://access.redhat.com/errata/RHSA-2017:2778https://access.redhat.com/errata/RHSA-2017:2789https://bugzilla.redhat.com/show_bug.cgi?id=1429472https://h20566.www2.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbns03755en_ushttps://www.debian.org/security/2017/dsa-3816https://www.exploit-db.com/exploits/41740/https://www.samba.org/samba/security/CVE-2017-2619.html
2018-03-12
Published