=========================================================== == Subject: Incorrect ACL get/set allowed on symlink path. == == CVE ID#: CVE-2015-7560 == == Versions: Samba 3.2.0 to 4.4.0rc3 == == Summary: Authenticated client could cause Samba to == overwrite ACLs with incorrect owner/group. == =========================================================== =========== Description =========== All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks. An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as security releases to correct the defect. Patches against older Samba versions are available at https://www.samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Add the parameter: unix extensions = no to the [global] section of your smb.conf and restart smbd. Alternatively, prohibit the use of SMB1 by setting the parameter: server min protocol = SMB2 to the [global] section of your smb.conf and restart smbd. ======= Credits ======= This problem was found by Jeremy Allison of Google, Inc. and the Samba Team, who also provided the fix.