The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

According to its banner, the version of Samba is 3.3.x earlier than 3.3.11, or 3.4.x earlier than 3.4.6, or 3.5.x earlier than 3.5.0rc3, and is therefore affected by a directory-traversal vulnerability as the application fails to sufficiently sanitize user-supplied input.  According to the vendor, the issue stems from an insecure default configuration.  The vendor advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.  To exploit this issue, attackers require authenticated access to a writable share, and may be exploited through a writable share accessible by guest accounts.  This may allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.

From Red Hat Security Advisory 2012:0313 :

Updated samba packages that fix one security issue, one bug, and add one enhancement are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

The default Samba server configuration enabled both the 'wide links' and 'unix extensions' options, allowing Samba clients with write access to a share to create symbolic links that point to any location on the file system. Clients connecting with CIFS UNIX extensions disabled could have such links resolved on the server, allowing them to access and possibly overwrite files outside of the share. With this update, 'wide links' is set to 'no' by default. In addition, the update ensures 'wide links' is disabled for shares that have 'unix extensions' enabled. (CVE-2010-0926)

Warning: This update may cause files and directories that are only linked to Samba shares using symbolic links to become inaccessible to Samba clients. In deployments where support for CIFS UNIX extensions is not needed (such as when files are exported to Microsoft Windows clients), administrators may prefer to set the 'unix extensions' option to 'no' to allow the use of symbolic links to access files out of the shared directories. All existing symbolic links in a share should be reviewed before re-enabling 'wide links'.

These updated samba packages also fix the following bug :

* The smbclient tool sometimes failed to return the proper exit status code. Consequently, using smbclient in a script caused some scripts to fail. With this update, an upstream patch has been applied and smbclient now returns the correct exit status. (BZ#768908)

In addition, these updated samba packages provide the following enhancement :

* With this update, support for Windows Server 2008 R2 domains has been added. (BZ#736124)

Users are advised to upgrade to these updated samba packages, which correct these issues and add this enhancement. After installing this update, the smb service will be restarted automatically.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2012:0313 advisory.

  - samba: insecure wide links default (CVE-2010-0926)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that.
(CVE-2010-0547)

It was discovered the Samba handled symlinks in an unexpected way when both 'wide links' and 'UNIX extensions' were enabled, which is the default. A remote attacker could create symlinks and access arbitrary files from the server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547).

With enabled 'wide links' Samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that.
(CVE-2010-0547)

The remote Samba server is configured insecurely and allows a remote attacker to gain read or possibly write access to arbitrary files on the affected host.  Specifically, if an attacker has a valid Samba account for a share that is writable or there is a writable share that is configured to be a guest account share, he can create a symlink using directory traversal sequences and gain access to files and directories outside that share. 

Note that successful exploitation requires that the Samba server's 'wide links' parameter be set to 'yes', which is the default.

ID	Name	Product	Family	Severity
9342	Samba 3.3.x < 3.3.11 / 3.4.x < 3.4.6 / 3.5.x < 3.5.0rc3 Directory Traversal	Nessus Network Monitor	Samba	medium
68484	Oracle Linux 5 : samba (ELSA-2012-0313)	Nessus	Oracle Linux Local Security Checks	low
58067	RHEL 5 : samba (RHSA-2012:0313)	Nessus	Red Hat Local Security Checks	high
49834	SuSE 10 Security Update : Samba (ZYPP Patch Number 6921)	Nessus	SuSE Local Security Checks	low
45471	SuSE 10 Security Update : Samba (ZYPP Patch Number 6920)	Nessus	SuSE Local Security Checks	low
45453	SuSE9 Security Update : Samba (YOU Patch Number 12595)	Nessus	SuSE Local Security Checks	low
45343	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : samba vulnerability (USN-918-1)	Nessus	Ubuntu Local Security Checks	low
45341	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45340	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45339	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45130	SuSE 11 Security Update : Samba (SAT Patch Number 2126)	Nessus	SuSE Local Security Checks	low
44406	Samba Symlink Traversal Arbitrary File Access (unsafe check)	Nessus	Misc.	high

Detections

Analytics

CVE-2010-0926

high

Tenable Plugins

medium

low

high

low

low

low

low

low

low

low

low

high