search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Samba creates temporary files insecurely

Vulnerability Note VU#670568

Original Release Date: 2001-09-17 | Last Revised: 2001-09-17

Overview

Samba handles temporary files insecurely, allowing arbitrary files to be overwritten and left in a state that would permit later modification.

Description

Samba is an implementation of the Server Message Block (SMB) protocol. Some versions of samba handle temporary files in an insecure manner that may allow local users to cause arbitrary files and devices to be overwritten. Due to easily predictable printer queue cache file names, local users may create symbolic links to any file or device causing it to be corrupted when a remote user accesses a printer. In addition, the file will be left with world-writable permissions, allowing any user to enter their own data.

Impact

By modifying arbitrary files, an attacker may gain elevated priveleges. By corrupting files or devices, an attacker may cause denial of service.

Solution

Apply vendor patches; see the Systems Affected section below.

Deinstall the Samba package.

Vendor Information

670568
 
Expand all

Caldera Affected

Notified:  April 19, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

http://www.caldera.com/support/security/advisories/CSSA-2001-015.0.txt

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Conectiva Affected

Notified:  April 23, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/other_advisory-1307.html

http://www.linuxsecurity.com/advisories/other_advisory-1362.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The second link above documents the connectiva version that corrects this vulnerability.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian Affected

Notified:  April 23, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/debian_advisory-1302.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

FreeBSD Affected

Notified:  April 23, 2001 Updated: August 21, 2001

Status

Affected

Vendor Statement

ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:36.samba.asc

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MandrakeSoft Affected

Notified:  April 23, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/mandrake_advisory-1319.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Progency Linux Systems Affected

Notified:  April 19, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/other_advisory-1305.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

RedHat Affected

Notified:  April 05, 2001 Updated: August 21, 2001

Status

Affected

Vendor Statement

http://www.redhat.com/support/errata/RHSA-2001-086.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Samba Team Affected

Notified:  May 11, 2001 Updated: August 01, 2001

Status

Affected

Vendor Statement

The recent Samba 2.0.8 security fix release did NOT fix the security hole in Samba 2.0.7. I have now released Samba 2.0.9 to fix this.

Many thanks to Marc Jacobsen from HP for pointing out the error, and apologies from the Samba Team for any inconvenience.

Note that the 2.2.0 release did fix the bug, so if you have installed that release then you can ignore this message.

The 2.0.9 release is available at
ftp://ftp.samba.org/pub/samba/samba-2.0.9.tar.gz
the patch is available at:
ftp://ftp.samba.org/pub/samba/patches/samba-2.0.8-2.0.9.diffs.gz

The 2.2.0 release is available at:
ftp://ftp.samba.org/pub/samba/samba-2.2.0.tar.gz

We do not plan on doing any more releases of Samba 2.0.x.

Distribution vendors have been notified about the error and will be doing new releases shortly.
- - - - - - - - - -
The bug was introduced into the CVS tree on June 27th 1997. That means all versions from (and including) 1.9.17alpha4 are vulnerable. Amazingly, the bug went undetected through several security audits by various companies over the last 4 years.

The impact of the bug varies a little between versions. In the 2.0.7 release the exploit is only easy (and perhaps only possible, but I won't guarantee it) if you are exporting printer shares. In either case, we consider it a serious enough risk that all sites should upgrade as soon as possible, especially if you have untrusted users with shell accounts.

Note that the bug is not a race condition. Given the right conditions the exploit will be successful first time every time. (ie. it is not a classic mktemp race)

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Trustix Affected

Notified:  April 18, 2001 Updated: September 17, 2001

Status

Affected

Vendor Statement

http://www.linuxsecurity.com/advisories/other_advisory-1298.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

This vulnerability was first reported by Marcus Meissner of Caldera.

This document was last modified by Tim Shimeall.

Other Information

CVE IDs: CVE-2001-0406
Severity Metric: 13.36
Date Public: 2001-04-23
Date First Published: 2001-09-17
Date Last Updated: 2001-09-17 19:24 UTC
Document Revision: 7

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis