samba: Combination of parameters and permissions can allow user to escape from the share path definition (CVE-2019-10197)
On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file.
The problem is reproducable if the 'wide links' option is explicitly set to 'yes' and either 'unix extensions = no' or 'allow insecure wide links = yes' is set in addition.
If a client has no permissions to enter the share root directory it will get ACCESS_DENIED on the first request. However smbd has a cache that remembers if it successfully changed to a directory. This cache was not being reset on failure. The following SMB request will then silently operate in the wrong directory instead of returning ACCESS_DENIED. That directory is either the share root directory of a different share the client was operating on successfully before or the global root directory ('/') of the system.
The unix token (uid, gid, list of groups) is always correctly impersonated before each operation, so the client is still restricted by the unix permissions enfored by the kernel.
Fixed In Version:
Samba 4.9.13, samba 4.10.8, samba 4.11.0rc3
References:
- https://www.samba.org/samba/history/security.html
- https://www.samba.org/samba/security/CVE-2019-10197.html
Patch:
https://download.samba.org/pub/samba/patches/security/samba-4.10.7-CVE-2019-10197.patch