Vulnerability identifier: #VU81875
Vulnerability risk: High
CVSSv3.1: 7.9 [CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:U/RL:O/RC:C]
CVE-ID:
CWE-ID:
CWE-285
Exploitation vector: Network
Exploit availability: No
Vulnerable software:
Samba
Server applications /
Directory software, identity management
Vendor: Samba
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix
domain socket, the client is able to connect to it without
any filesystem restrictions.
Mitigation
Install updates from vendor's website.
Vulnerable software versions
Samba: 4.19.0, 4.18.0 - 4.18.7, 4.17.0 - 4.17.11, 4.16.0 - 4.16.11
External links
http://www.samba.org/samba/security/CVE-2023-3961.html
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.