-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0045
       World-writeable files may be created in additional shares on
                             a Samba 4.0 AD DC
                               21 March 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              samba4
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Modify Arbitrary Files -- Existing Account
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-1863  
Member content until: Saturday, April 20 2013

OVERVIEW

        A vulnerability has been identified in Samba versions 4.0.0rc6 to
        4.0.3 (inclusive). [1]


IMPACT

        Samba has released the following information on this vulnerability:
        
        "Administrators of the Samba 4.0 Active Directory Domain Controller 
        might unexpectedly find files created world-writeable if additional
        CIFS file shares are created on the AD DC.
        
        By default the AD DC is not vulnerable to this issue, as a specific
        inheritable ACL is set on the files in the [sysvol] and [netlogon] 
        shares.
        
        However, on other shares, when only configured with simple unix 
        user/group/other permissions, the forced setting of 'create mask' 
        and 'directory mask' on AD DC installations would apply, resulting 
        in world-writable file permissions being set.
        
        These permissions are visible with the standard tools, and only the
        initial file creation is affected. As Samba honours the unix 
        permissions, the security of files where explicit permissions have 
        been set are not affected.
        
        Administrators will need to manually correct the permissions of any
        world-writable files and directories. After upgrading, either 
        recursively set correct permissions using the Windows ACL editor, or
        run something like e.g.:
        
        sudo setfacl -b -R /path/to/share && sudo chmod o-w,g-w -R 
        /path/to/share (Please note that this command might need to be 
        adapted to your needs).
        
        This will remove all the ACLs (a reasonable step as this only 
        impacts on shares without an ACL set), including a problematic 
        default posix ACL on subdirectories." [1]


MITIGATION

        Samba has stated that "Samba administrators running affected 
        versions are advised to upgrade to 4.0.4 or apply the patch as soon
        as possible." [1]


REFERENCES

        [1] World-writeable files may be created in additional shares on a
            Samba 4.0 AD DC
            http://www.samba.org/samba/security/CVE-2013-1863

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUUqO1O4yVqjM2NGpAQL0eA/6AowgFQL92rMLmSME6H50XfqqBSGvvClO
P6RiA4uZFT1Nkg/i0y20uhGcZQY1ZltmR1d2uxlFpeqTfBl+JLq6qUZw1ytMgSMt
+rZl7DK9+HZMbR+5K+XOJvPk9rcTbYS5LQpHIuPAKr0QWnUSHREQ6norUULOE6DA
bgIKvmjZrVHGo4OW67Z6+YlqnteNuL682WW45NtBcs/lMoXfXyU81nLUuzpS1xQH
3/gCALIMV98JKJCoZZfVAByUnldwVyeQu3RtaYcPoN0BeDb5LU5O3JoFdwO8l47P
74DYS0646G5/4pC7xDa/kS35Hi3ij/A3qmbPsZmlB8iz7irDopHBeaxO528kwn6U
zIqR7FE9GIbEpAlFNK4Yi7lx9aaHCyEyKKZ0j5+BhdAsh9A9hB5AYrTMVPVEau2C
Qvaqf49BUOu5xBFvJoGyG0nGlYoaT6CBKZxJ1XbwV0RH9/dsYgLZSN+0THtlhMyR
NV9va3Yz2vhJp+vrQMtk24uklRBNTDJjpy8pdGEYmuMXt0KMHvtgBIlcsXjzttkv
JjS3HOFRUi41NC+AfsoSVLz4T6VoECiF0JoboMDZ6gm81vOkmdLJyCqFpISZEOQQ
bD7vXmfeFNPgEK3bhQtJWwX/RTGf2o6A+xnduhUEzh/G8gcS+vTXtzD+mUsw1X6h
tMvCdsyi/8Q=
=Bz9O
-----END PGP SIGNATURE-----