Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0045 World-writeable files may be created in additional shares on a Samba 4.0 AD DC 21 March 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: samba4 Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Modify Arbitrary Files -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-1863 Member content until: Saturday, April 20 2013 OVERVIEW A vulnerability has been identified in Samba versions 4.0.0rc6 to 4.0.3 (inclusive). [1] IMPACT Samba has released the following information on this vulnerability: "Administrators of the Samba 4.0 Active Directory Domain Controller might unexpectedly find files created world-writeable if additional CIFS file shares are created on the AD DC. By default the AD DC is not vulnerable to this issue, as a specific inheritable ACL is set on the files in the [sysvol] and [netlogon] shares. However, on other shares, when only configured with simple unix user/group/other permissions, the forced setting of 'create mask' and 'directory mask' on AD DC installations would apply, resulting in world-writable file permissions being set. These permissions are visible with the standard tools, and only the initial file creation is affected. As Samba honours the unix permissions, the security of files where explicit permissions have been set are not affected. Administrators will need to manually correct the permissions of any world-writable files and directories. After upgrading, either recursively set correct permissions using the Windows ACL editor, or run something like e.g.: sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R /path/to/share (Please note that this command might need to be adapted to your needs). This will remove all the ACLs (a reasonable step as this only impacts on shares without an ACL set), including a problematic default posix ACL on subdirectories." [1] MITIGATION Samba has stated that "Samba administrators running affected versions are advised to upgrade to 4.0.4 or apply the patch as soon as possible." [1] REFERENCES [1] World-writeable files may be created in additional shares on a Samba 4.0 AD DC http://www.samba.org/samba/security/CVE-2013-1863 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUUqO1O4yVqjM2NGpAQL0eA/6AowgFQL92rMLmSME6H50XfqqBSGvvClO P6RiA4uZFT1Nkg/i0y20uhGcZQY1ZltmR1d2uxlFpeqTfBl+JLq6qUZw1ytMgSMt +rZl7DK9+HZMbR+5K+XOJvPk9rcTbYS5LQpHIuPAKr0QWnUSHREQ6norUULOE6DA bgIKvmjZrVHGo4OW67Z6+YlqnteNuL682WW45NtBcs/lMoXfXyU81nLUuzpS1xQH 3/gCALIMV98JKJCoZZfVAByUnldwVyeQu3RtaYcPoN0BeDb5LU5O3JoFdwO8l47P 74DYS0646G5/4pC7xDa/kS35Hi3ij/A3qmbPsZmlB8iz7irDopHBeaxO528kwn6U zIqR7FE9GIbEpAlFNK4Yi7lx9aaHCyEyKKZ0j5+BhdAsh9A9hB5AYrTMVPVEau2C Qvaqf49BUOu5xBFvJoGyG0nGlYoaT6CBKZxJ1XbwV0RH9/dsYgLZSN+0THtlhMyR NV9va3Yz2vhJp+vrQMtk24uklRBNTDJjpy8pdGEYmuMXt0KMHvtgBIlcsXjzttkv JjS3HOFRUi41NC+AfsoSVLz4T6VoECiF0JoboMDZ6gm81vOkmdLJyCqFpISZEOQQ bD7vXmfeFNPgEK3bhQtJWwX/RTGf2o6A+xnduhUEzh/G8gcS+vTXtzD+mUsw1X6h tMvCdsyi/8Q= =Bz9O -----END PGP SIGNATURE-----