Get a Quote   (408) 943-4100               TrueNAS Discord      VendOp_Icon_15x15px   Commercial Support

Versions Affected : All versions prior to TrueNAS Core 13.0.

Versions Not Affected : TrueNAS SCALE is not vulnerable.


Description

All versions of Samba prior to 4.15.0 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow filesystem metadata to be accessed in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to read or modify file or directory metadata on the symlink target. The authenticated user must have permissions to read or modify the metadata of the target of the symlink in order to perform the operation outside of the share. Filesystem metadata includes such attributes as timestamps, extended attributes, permissions, and ownership. This is a difficult race to win, but theoretically possible. Exploitation of this bug has not been seen in the wild.

iXsystems strongly discourages the use of SMB1 as well as running SMB and NFS shares on the same path. If you have a support contract with iXsystems and need assistance or have other questions feel free to reach out to your Support representative.

CVSS

CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N

Workaround

Systems that are not running SMB1 are or are not running SMB + NFS on same path are not vulnerable. If SMB1 is used, the auxiliary parameter “unix extensions = no” should be added in the SMB configuration avaiable on the Services SMB Configuration page.

The next release of 12.0 branch will disable unix extensions by default. Unix extensions are enabled by default for SMB1 in TrueNAS 13 and SCALE.


Mitigation

  • Disable SMB1 or add the auxiliary parameter “unix extensions = no” to the SMB service configuration
  • Disable running SMB + NFS on the same path
  • Upgrade to TrueNAS 13.0 when available

Commit

Further information