The default configuration of smbd in Samba before 3.3.11, 3.4.x before 3.4.6, and 3.5.x before 3.5.0rc3, when a writable share exists, allows remote authenticated users to leverage a directory traversal vulnerability, and access arbitrary files, by using the symlink command in smbclient to create a symlink containing .. (dot dot) sequences, related to the combination of the unix extensions and wide links options.

The remote Redhat Enterprise Linux 4 host has one or more packages installed that are affected by a vulnerability that has been acknowledged by the vendor but will not be patched.

  - samba: insecure wide links default (CVE-2010-0926)

Note that Nessus has not tested for this issue but has instead relied on the package manager's report that the package is installed.

According to its banner, the version of Samba is 3.3.x earlier than 3.3.11, or 3.4.x earlier than 3.4.6, or 3.5.x earlier than 3.5.0rc3, and is therefore affected by a directory-traversal vulnerability as the application fails to sufficiently sanitize user-supplied input.  According to the vendor, the issue stems from an insecure default configuration.  The vendor advises administrators to set 'wide links = no' in the '[global]' section of 'smb.conf'.  To exploit this issue, attackers require authenticated access to a writable share, and may be exploited through a writable share accessible by guest accounts.  This may allow an attacker to access files outside of the Samba user's root directory to obtain sensitive information and perform other attacks.

The remote Oracle Linux 5 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2012-0313 advisory.

    - Security Release, fixes CVE-2010-0926
    - Security Release, fixes CVE-2010-0547, CVE-2010-0787, CVE-2011-2694,       CVE-2011-2522, CVE-2011-1678, CVE-2011-2724
    - Security Release, fixes CVE-2011-0719
    - Security Release, fixes CVE-2010-3069

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 5 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2012:0313 advisory.

  - samba: insecure wide links default (CVE-2010-0926)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that.
(CVE-2010-0547)

It was discovered the Samba handled symlinks in an unexpected way when both 'wide links' and 'UNIX extensions' were enabled, which is the default. A remote attacker could create symlinks and access arbitrary files from the server.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

With enabled 'wide links' samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that (CVE-2010-0547).

With enabled 'wide links' Samba follows symbolic links on the server side, therefore allowing clients to overwrite arbitrary files (CVE-2010-0926). This update changes the default setting to have 'wide links' disabled by default. The new default only works if 'wide links' is not set explicitly in smb.conf.

Due to a race condition in mount.cifs a local attacker could corrupt /etc/mtab if mount.cifs is installed setuid root. mount.cifs is not setuid root by default and it's not recommended to change that.
(CVE-2010-0547)

The remote Samba server is configured insecurely and allows a remote attacker to gain read or possibly write access to arbitrary files on the affected host.  Specifically, if an attacker has a valid Samba account for a share that is writable or there is a writable share that is configured to be a guest account share, he can create a symlink using directory traversal sequences and gain access to files and directories outside that share. 

Note that successful exploitation requires that the Samba server's 'wide links' parameter be set to 'yes', which is the default.

ID	Name	Product	Family	Severity
199746	RHEL 4 : samba (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	high
9342	Samba 3.3.x < 3.3.11 / 3.4.x < 3.4.6 / 3.5.x < 3.5.0rc3 Directory Traversal	Nessus Network Monitor	Samba	medium
68484	Oracle Linux 5 : samba (ELSA-2012-0313)	Nessus	Oracle Linux Local Security Checks	high
58067	RHEL 5 : samba (RHSA-2012:0313)	Nessus	Red Hat Local Security Checks	high
49834	SuSE 10 Security Update : Samba (ZYPP Patch Number 6921)	Nessus	SuSE Local Security Checks	low
45471	SuSE 10 Security Update : Samba (ZYPP Patch Number 6920)	Nessus	SuSE Local Security Checks	low
45453	SuSE9 Security Update : Samba (YOU Patch Number 12595)	Nessus	SuSE Local Security Checks	low
45343	Ubuntu 6.06 LTS / 8.04 LTS / 8.10 / 9.04 / 9.10 : samba vulnerability (USN-918-1)	Nessus	Ubuntu Local Security Checks	low
45341	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45340	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45339	openSUSE Security Update : cifs-mount (cifs-mount-2128)	Nessus	SuSE Local Security Checks	low
45130	SuSE 11 Security Update : Samba (SAT Patch Number 2126)	Nessus	SuSE Local Security Checks	low
44406	Samba Symlink Traversal Arbitrary File Access (unsafe check)	Nessus	Misc.	high

Detections

Analytics

CVE-2010-0926

high

Tenable Plugins

high

medium

high

high

low

low

low

low

low

low

low

low

high