| Description |
This update addresses the following issue:
* Samba contains an RPC endpoint emulating the Windows registry service
API. One of the requests, "winreg_SaveKey", is susceptible to a
path/symlink traversal vulnerability. Unprivileged users can use it to
create a new registry hive file anywhere they have unix permissions to
create a new file within a Samba share. If they are able to create
symlinks on a Samba share, they can create a new registry hive file
anywhere they have write access, even outside a Samba share
definition.
Existing share restrictions such as "read only" or share ACLs
do not prevent new registry hive files being written to the
filesystem. A file may be written under any share definition wherever
the user has unix permissions to create a file.
Existing files cannot be overwritten using this vulnerability, only
new registry hive files can be created, however the presence of
existing files with a specific name can be detected.
Samba writes or detects the file as the authenticated user, but
by UCS default the "Administrator" account is mapped to root, because
it is configured as "admin user" in smb.conf.
For details and possible mitigations see
https://www.samba.org/samba/security/CVE-2019-3880.html |
