Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

Samba CVE-2021-20316. Symlink race error can allow metadata read and modify outside of the exported share.

Description

https://www.samba.org/samba/security/CVE-2021-20316.html

===========
Description
===========

All versions of Samba prior to 4.15.0 (TrueNAS 13.0) are vulnerable to a malicious
client using an SMB1 or NFS symlink race to allow filesystem metadata
to be accessed in an area of the server file system not exported under
the share definition. Note that SMB1 has to be enabled, or the share
also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks that
can race the server by renaming an existing path and then replacing it
with a symlink. If the client wins the race it can cause the server to
read or modify file or directory metadata on the symlink target.

The authenticated user must have permissions to read or modify the
metadata of the target of the symlink in order to perform the
operation outside of the share.

Filesystem metadata includes such attributes as timestamps, extended
attributes, permissions, and ownership.

This is a difficult race to win, but theoretically possible. Note that
the proof of concept code supplied wins the race only when the server
is slowed down and put under heavy load. Exploitation of this bug has
not been seen in the wild.

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in
TrueNAS 11.2 and later). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the auxiliary parameter:

unix extensions = no

to Services->SMB form contents, and restart the SMB service. This
prevents SMB1 clients from creating symlinks on the exported file
system.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For versions prior to TrueNAS 13.0, we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.

Problem/Justification

None

Impact

None

Activity

Show:
Complete

Details

Assignee

Reporter

Labels

Time remaining

0m

Components

Fix versions

Affects versions

Priority

Katalon Platform

Created November 10, 2021 at 5:29 PM
Updated August 19, 2022 at 12:56 PM
Resolved February 3, 2022 at 12:48 PM