Description

All versions of Samba prior to 4.15.0 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow filesystem metadata to be accessed in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.

Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks that can race the server by renaming an existing path and then replacing it with a symlink. If the client wins the race it can cause the server to read or modify file or directory metadata on the symlink target. The authenticated user must have permissions to read or modify the metadata of the target of the symlink in order to perform the operation outside of the share. Filesystem metadata includes such attributes as timestamps, extended attributes, permissions, and ownership. This is a difficult race to win, but theoretically possible. Exploitation of this bug has not been seen in the wild.

iXsystems strongly discourages the use of SMB1 as well as running SMB and NFS shares on the same path. If you have a support contract with iXsystems and need assistance or have other questions feel free to reach out to your Support representative.

CVSS

CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N

Workaround

Do not run SMB + NFS on same path on 12.0 systems.

Prior to 12.0-U8, if SMB1 is used, the auxiliary parameter “unix extensions = no” should be added in the SMB configuration avaiable on the Services SMB Configuration page.

Mitigation

Disable SMB1 or add the auxiliary parameter “unix extensions = no” to the SMB service configuration
Disable running SMB + NFS on the same path
Upgrade to TrueNAS 13.0 when available

CVE-2021-20316 : samba - symlink race condition

Description

CVSS

Workaround

Mitigation

Commit

Further information