CVE-2023-4091

Summary

A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.

Affected Software

VendorProductVersion RangeStatus
Red HatRed Hat Enterprise Linux 80:4.18.6-2.el8_9 < *unaffected
Red HatRed Hat Enterprise Linux 80:4.18.6-2.el8_9 < *unaffected
Red HatRed Hat Enterprise Linux 8.6 Extended Update Support0:4.15.5-13.el8_6 < *unaffected
Red HatRed Hat Enterprise Linux 8.8 Extended Update Support0:4.17.5-4.el8_8 < *unaffected
Red HatRed Hat Enterprise Linux 90:4.18.6-101.el9_3 < *unaffected
Red HatRed Hat Enterprise Linux 90:4.18.6-101.el9_3 < *unaffected
Red HatRed Hat Enterprise Linux 9.0 Extended Update Support0:4.15.5-111.el9_0 < *unaffected
Red HatRed Hat Enterprise Linux 9.2 Extended Update Support0:4.17.5-104.el9_2 < *unaffected
Red HatRed Hat Virtualization 4 for Red Hat Enterprise Linux 80:4.15.5-13.el8_6 < *unaffected

Weaknesses

  • CWE-276: Incorrect Default Permissions

Workarounds

The vulnerability is most commonly associated with the "acl_xattr" module and can be mitigated by setting:

&#34;acl_xattr:ignore system acls = no&#34;

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: total

CVE Program Container

Additional References

References