Samba CVE affecting SMB1 in FreeNAS 11.2-U3

[anodos]

Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winreg_SaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a new file within a Samba share. If they are able to create symlinks on a Samba share, they can create a new registry hive file anywhere they have write access, even outside a Samba share definition.

Note - existing share restrictions such as "read only" or share ACLs do *not* prevent new registry hive files being written to the filesystem. A file may be written under any share definition wherever the user has unix permissions to create a file.

Existing files cannot be overwritten using this vulnerability, only new registry hive files can be created, however the presence of existing files with a specific name can be detected.

Samba writes or detects the file as the authenticated user, not as root.

Full text is here: https://attachments.samba.org/attachment.cgi?id=15030

Mitigation steps are to either (1) disable SMB1 (which is the default in FreeNAS). or (2) disable SMB1 Unix Extensions. I brought the bug fix into our stable code branch this morning, and it is being included in the U4 release (which is due at the end of the month). Feel free to send me a PM or respond in thread if you have questions.