fkie_cve-2023-4091
Vulnerability from fkie_nvd
Published
2023-11-03 08:15
Modified
2024-11-21 08:34
Severity ?
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
6.5 (Medium) - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Summary
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
References
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:6209Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:6744Third Party Advisory
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7371
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7408
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7464
secalert@redhat.comhttps://access.redhat.com/errata/RHSA-2023:7467
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2023-4091Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2241882Issue Tracking
secalert@redhat.comhttps://bugzilla.samba.org/show_bug.cgi?id=15439Issue Tracking
secalert@redhat.comhttps://www.samba.org/samba/security/CVE-2023-4091.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:6209Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:6744Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7371
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7408
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7464
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/errata/RHSA-2023:7467
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2023-4091Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2241882Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.samba.org/show_bug.cgi?id=15439Issue Tracking
af854a3a-2127-422b-91ae-364da2661108https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html
af854a3a-2127-422b-91ae-364da2661108https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I/
af854a3a-2127-422b-91ae-364da2661108https://security.netapp.com/advisory/ntap-20231124-0002/
af854a3a-2127-422b-91ae-364da2661108https://www.samba.org/samba/security/CVE-2023-4091.htmlVendor Advisory
Impacted products
Vendor Product Version
samba samba *
samba samba *
samba samba *
fedoraproject fedora 39
redhat storage 3.0
redhat enterprise_linux 8.0
redhat enterprise_linux_eus 9.0


To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "1C9913F9-D46D-4CE3-AA78-E50D32779971",
              "versionEndExcluding": "4.17.12",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8A33312F-1523-4647-83DA-6DD6231906F9",
              "versionEndExcluding": "4.18.8",
              "versionStartIncluding": "4.18.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "DE496104-DDB5-4709-8026-C83E99B0C865",
              "versionEndExcluding": "4.19.1",
              "versionStartIncluding": "4.19.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*",
              "matchCriteriaId": "B8EDB836-4E6A-4B71-B9B2-AA3E03E0F646",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    },
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "379A5883-F6DF-41F5-9403-8D17F6605737",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "F4CFF558-3C47-480D-A2F0-BABF26042943",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "4DDA3E5A-8754-4C48-9A27-E2415F8A6000",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module \"acl_xattr\" is configured with \"acl_xattr:ignore system acls = yes\". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba\u0027s permissions."
    },
    {
      "lang": "es",
      "value": "Se descubri\u00f3 una vulnerabilidad en Samba, donde la falla permite a los clientes SMB truncar archivos, incluso con permisos de solo lectura cuando el m\u00f3dulo Samba VFS \"acl_xattr\" est\u00e1 configurado con \"acl_xattr:ignore system acls = yes\". El protocolo SMB permite abrir archivos cuando el cliente solicita acceso de solo lectura, pero luego trunca impl\u00edcitamente el archivo abierto a 0 bytes si el cliente especifica una solicitud de disposici\u00f3n de creaci\u00f3n de SOBRESCRITURA separada. El problema surge en configuraciones que omiten las comprobaciones de permisos del sistema de archivos del kernel y dependen \u00fanicamente de los permisos de Samba."
    }
  ],
  "id": "CVE-2023-4091",
  "lastModified": "2024-11-21T08:34:22.283",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "secalert@redhat.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 6.5,
          "baseSeverity": "MEDIUM",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 3.6,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ]
  },
  "published": "2023-11-03T08:15:08.197",
  "references": [
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:6209"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:6744"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2023:7371"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2023:7408"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2023:7464"
    },
    {
      "source": "secalert@redhat.com",
      "url": "https://access.redhat.com/errata/RHSA-2023:7467"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-4091"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241882"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.samba.org/show_bug.cgi?id=15439"
    },
    {
      "source": "secalert@redhat.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.samba.org/samba/security/CVE-2023-4091.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:6209"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/errata/RHSA-2023:6744"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2023:7371"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2023:7408"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2023:7464"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://access.redhat.com/errata/RHSA-2023:7467"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Third Party Advisory"
      ],
      "url": "https://access.redhat.com/security/cve/CVE-2023-4091"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241882"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Issue Tracking"
      ],
      "url": "https://bugzilla.samba.org/show_bug.cgi?id=15439"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://security.netapp.com/advisory/ntap-20231124-0002/"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://www.samba.org/samba/security/CVE-2023-4091.html"
    }
  ],
  "sourceIdentifier": "secalert@redhat.com",
  "vulnStatus": "Modified",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "secalert@redhat.com",
      "type": "Secondary"
    },
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-276"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.