CVE-2010-0787: Race Condition
First published: Tue Jan 26 2010(Updated: )
+++ This bug was initially created as a clone of <a class="bz_bug_link bz_status_CLOSED bz_closed bz_public " title="CLOSED ERRATA - CVE-2010-0788 ncpfs: Race condition by mount (ncpmount) / umount (ncpumount) operations" href="show_bug.cgi?id=532940">Bug #532940</a> +++ Several race condition flaws were found in samba-client, fuse and ncpfs packages: a, Ronald Volgers found a race condition in the samba-client's mount.cifs utility. Local, unprivileged user could use this flaw to conduct symlink attacks, leading to disclosure of sensitive information, or, possibly to privilege escalation. Upstream bug report: <a href="https://bugzilla.samba.org/show_bug.cgi?id=6853">https://bugzilla.samba.org/show_bug.cgi?id=6853</a> Upstream Samba patches: <a href="http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80">http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80</a> <a href="http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054">http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054</a> <a href="http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5">http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5</a> Issue severity note for Red Hat Enteprise Linux: ------------------------------------------------ The mount.cifs binary, as shipped within samba-client package on Red Hat Enterprise Linux 4 and 5, is NOT shipped with setuid root bit enabled by default (local, unprivileged users on these systems are NOT able to mount custom CIFS filesystem shares), which mitigates the impact of the vulnera- bility. b, Dan Rosenberg found a race condition in the FUSE's fusermount's utility by performing FUSE filesystem(s) unmount operation (it was not performed atomically). A local, unprivileged user could use this flaw to cause a denial of service (unprivileged unmount of FUSE filesystem share(s) owned by privileged user) via symlink attack involving FUSE share(s) belonging to privileged user. Issue severity note for Red Hat Enterprise Linux: ------------------------------------------------- The "fusermount" utility, as shipped within "fuse" package in Red Hat Enterprise Linux 5 IS shipped with setuid root bit enabled by default, but the unprivileged user to be able to mount custom FUSE filesystem, he needs prior to be the member of special "fuse" users group (user membership in this group is granted by privileged user), which mitigates the impact of the vulnerability. c, Dan Rosenberg found race conditions in the ncpfs ncpmount and ncpumount utilities. Local, unprivileged user could use these flaws to conduct symlink attacks, leading to denial of service (ncpumount), disclosure of sensitive information, or, possibly to privilege escalation (ncpmount). Issue severity note for Fedora: ------------------------------- The "ncpmount and ncpumount" utilities, as shipped within "ncpfs" package in Fedora release of 11 and 12 are NOT shipped with setuid root bit enabled by default (unprivileged, local users are NOT able to mount / umount custom remote NCP shares), which mitigates the impact of the flaws. MITRE has rejected the use of <a href="https://access.redhat.com/security/cve/CVE-2009-3297">CVE-2009-3297</a> because it was used for samba, ncpfs, and fuse when it should only have been used for Samba. Instead, new CVEs have been assigned as follows: CVE-2010-0787: samba CVE-2010-0788: ncpfs CVE-2010-0789: fuse This issue does not affect Red Hat Enterprise Linux 4 and 5 by default as mount.cifs is not provided with the setuid bit enabled. If a user has turned on the setuid bit (via 'chmod +s /sbin/mount.cifs'), they would be affected by this issue and can workaround the problem by removing the setuid bit. Red Hat Enterprise Linux 3 does not provide the mount.cifs program. The Red Hat Security Response Team has rated this issue as having low security impact, a future update may address this flaw. More information regarding issue severity can be found here: <a href="http://www.redhat.com/security/updates/classification/">http://www.redhat.com/security/updates/classification/</a>
Credit: cve@mitre.org cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Samba Samba | =3.2.3 | |
| Samba Samba | =3.4.0 | |
| Samba Samba | =3.4.5 | |
| Samba Samba | =3.0.28a | |
| Samba Samba | =3.0.22 | |
| redhat/samba | <0:3.0.33-0.34.el4 | 0:3.0.33-0.34.el4 |
| redhat/samba3x | <0:3.5.4-0.70.el5 | 0:3.5.4-0.70.el5 |
| redhat/samba | <0:3.0.33-3.29.el5_7.4 | 0:3.0.33-3.29.el5_7.4 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://git.samba.org/?p=samba.git%3Ba=commit%3Bh=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
- http://git.samba.org/?p=samba.git%3Ba=commit%3Bh=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5
- http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034444.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-January/034470.html
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.html
- http://secunia.com/advisories/38286
- http://secunia.com/advisories/38308
- http://secunia.com/advisories/38357
- http://security.gentoo.org/glsa/glsa-201206-29.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:090
- http://www.securityfocus.com/bid/37992
- http://www.securityfocus.com/bid/39898
- http://www.ubuntu.com/usn/USN-893-1
- http://www.vupen.com/english/advisories/2010/1062
- https://bugzilla.redhat.com/show_bug.cgi?id=532940
- https://bugzilla.redhat.com/show_bug.cgi?id=558833
- https://bugzilla.samba.org/show_bug.cgi?id=6853
- https://exchange.xforce.ibmcloud.com/vulnerabilities/55944
- http://git.samba.org/?p=samba.git;a=commit;h=3ae5dac462c4ed0fb2cd94553583c56fce2f9d80
- http://git.samba.org/?p=samba.git;a=commit;h=a0c31ec1c8d1220a5884e40d9ba6b191a04a24d5
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=532940
- http://git.samba.org/?p=samba.git;a=commit;h=a065c177dfc8f968775593ba00dffafeebb2e054
- https://access.redhat.com/security/cve/CVE-2009-3297
- http://www.redhat.com/security/updates/classification/
- https://bugzilla.samba.org/show_bug.cgi?id=6853#c2
- https://rhn.redhat.com/errata/RHSA-2011-1219.html
- https://bugzilla.redhat.com/show_bug.cgi?id=577277
- https://www.cve.org/CVERecord?id=CVE-2010-0787 https://nvd.nist.gov/vuln/detail/CVE-2010-0787
- https://access.redhat.com/errata/RHSA-2011:1219
- https://access.redhat.com/errata/RHBA-2011:0054
- https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2010-0787.json
- collector/nvd-historical
- collector/nvd-index
- collector/nvd-api
- agent/author
- agent/type
- agent/remedy
- agent/softwarecombine
- agent/first-publish-date
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2010-0787
- agent/severity
- agent/references
- agent/weakness
- collector/redhat-cve
- agent/software-canonical-lookup
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/tags
- agent/description
- agent/event
- agent/trending
- vendor/samba
- canonical/samba samba
- version/samba samba/3.2.3
- version/samba samba/3.4.0
- version/samba samba/3.4.5
- version/samba samba/3.0.28a
- version/samba samba/3.0.22
- package-manager/redhat