CVE-2023-4091: Samba Auth Bypass Vulnerability

CVE-2023-4091 Overview

A vulnerability was discovered in Samba that allows SMB clients to truncate files even when they only have read-only permissions. This flaw occurs when the Samba VFS module acl_xattr is configured with acl_xattr:ignore system acls = yes. The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request.

Critical Impact
Authenticated attackers with read-only permissions can destroy file contents by truncating files to zero bytes, potentially causing significant data loss and integrity issues in affected Samba deployments.

Affected Products

Samba (multiple versions)
Fedora 39
Red Hat Storage 3.0
Red Hat Enterprise Linux 8.0
Red Hat Enterprise Linux EUS 9.0

Discovery Timeline

November 3, 2023 - CVE-2023-4091 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-4091

Vulnerability Analysis

This vulnerability represents an Improper Access Control flaw (CWE-276: Incorrect Default Permissions) in Samba's handling of SMB file operations. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's internal permissions enforcement.

When the acl_xattr VFS module is configured to ignore system ACLs, Samba fails to properly validate the combination of requested access modes and create disposition flags in SMB requests. An authenticated user who should only have read access can exploit the disconnect between the access mode check (which passes for read-only) and the create disposition handling (which allows OVERWRITE operations).

The vulnerability allows low-privileged authenticated users to silently destroy file contents without any indication to administrators, making it particularly dangerous for shared file storage environments where data integrity is critical.

Root Cause

The root cause lies in the design of how Samba processes SMB file open requests when the acl_xattr:ignore system acls = yes configuration is active. The SMB protocol separates the access mode (read/write/execute permissions) from the create disposition (how to handle existing files). When Samba checks permissions for a file open operation, it validates based on the requested access mode but does not apply the same permission check to the create disposition.

This means when a client requests read-only access with an OVERWRITE create disposition, Samba:

Validates that the user has read permissions (passes)
Processes the OVERWRITE disposition without validating write permissions (vulnerability)

The kernel file system would normally catch this discrepancy, but with ignore system acls enabled, these kernel-level checks are bypassed entirely.

Attack Vector

The attack is network-based and requires low-privilege authentication to the Samba server. An attacker needs:

Valid credentials to authenticate to the Samba share
Read-only access to target files
The target server configured with acl_xattr:ignore system acls = yes

The attacker constructs an SMB open request specifying read-only access mode combined with an OVERWRITE create disposition. When Samba processes this request, the file is truncated to zero bytes despite the attacker only having read permissions.

This vulnerability is particularly concerning because it allows data destruction through what appears to be a legitimate read operation, making it difficult to detect through standard access logging.

Detection Methods for CVE-2023-4091

Indicators of Compromise

Unexpected file truncation events where files are reduced to 0 bytes
SMB audit logs showing FILE_OVERWRITE or FILE_OVERWRITE_IF dispositions from users with read-only permissions
Sudden data loss in Samba shares where users only have read access
File modification timestamps changing on files that should be read-only

Detection Strategies

Enable detailed SMB audit logging and monitor for OVERWRITE create dispositions from non-administrative users
Implement file integrity monitoring (FIM) on critical Samba shares to detect unexpected file modifications
Review Samba configuration files for acl_xattr:ignore system acls = yes settings to identify vulnerable deployments
Monitor for authentication events followed by file size changes to 0 bytes

Monitoring Recommendations

Configure Samba's full_audit VFS module to log all file operations including create dispositions
Set up alerts for file truncation events on sensitive directories
Implement periodic file size baseline comparisons for critical data
Review SMB traffic logs for patterns indicating exploitation attempts

How to Mitigate CVE-2023-4091

Immediate Actions Required

Update Samba to the latest patched version immediately
Review and reconfigure any shares using acl_xattr:ignore system acls = yes to use proper system ACL enforcement
Audit file shares for any evidence of unauthorized file truncation
Consider temporarily disabling the acl_xattr module until patches are applied

Patch Information

Security patches are available from Samba and various Linux distributions. Consult the Samba Security Advisory for CVE-2023-4091 for official patch information.

Distribution-specific updates are available:

Red Hat: Multiple advisories including RHSA-2023:6209, RHSA-2023:6744, RHSA-2023:7371, RHSA-2023:7408, RHSA-2023:7464, and RHSA-2023:7467
Fedora: Updates available via the Fedora Package Announcement
Debian: See Debian LTS Announcement
NetApp: Refer to NetApp Security Advisory NTAP-20231124-0002

Workarounds

Remove or change the acl_xattr:ignore system acls = yes configuration option to restore kernel-level permission enforcement
Implement network-level access controls to limit SMB access to trusted systems only
Use file system-level immutable flags on critical files as an additional protection layer
Consider implementing Samba's veto files option to protect sensitive files from modification

bash

# Configuration example - Disable vulnerable ACL bypass in smb.conf
# Locate the share configuration and remove or comment out the vulnerable setting:
# [share_name]
#   vfs objects = acl_xattr
#   acl_xattr:ignore system acls = no  # Changed from 'yes' to 'no'

# Alternative: Remove the ignore system acls directive entirely
# and let Samba use standard kernel permission checks

# To verify current configuration:
testparm -s | grep -i "ignore system acls"

# After modifying smb.conf, restart Samba:
systemctl restart smbd

CVE-2023-4091 Overview

Critical Impact
Authenticated attackers with read-only permissions can destroy file contents by truncating files to zero bytes, potentially causing significant data loss and integrity issues in affected Samba deployments.

Affected Products

Samba (multiple versions)
Fedora 39
Red Hat Storage 3.0
Red Hat Enterprise Linux 8.0
Red Hat Enterprise Linux EUS 9.0

Discovery Timeline

November 3, 2023 - CVE-2023-4091 published to NVD
November 21, 2024 - Last updated in NVD database

Technical Details for CVE-2023-4091

Vulnerability Analysis

Root Cause

This means when a client requests read-only access with an OVERWRITE create disposition, Samba:

Validates that the user has read permissions (passes)
Processes the OVERWRITE disposition without validating write permissions (vulnerability)

The kernel file system would normally catch this discrepancy, but with ignore system acls enabled, these kernel-level checks are bypassed entirely.

Attack Vector

The attack is network-based and requires low-privilege authentication to the Samba server. An attacker needs:

Valid credentials to authenticate to the Samba share
Read-only access to target files
The target server configured with acl_xattr:ignore system acls = yes

This vulnerability is particularly concerning because it allows data destruction through what appears to be a legitimate read operation, making it difficult to detect through standard access logging.

Detection Methods for CVE-2023-4091

Indicators of Compromise

Unexpected file truncation events where files are reduced to 0 bytes
SMB audit logs showing FILE_OVERWRITE or FILE_OVERWRITE_IF dispositions from users with read-only permissions
Sudden data loss in Samba shares where users only have read access
File modification timestamps changing on files that should be read-only

Detection Strategies

Enable detailed SMB audit logging and monitor for OVERWRITE create dispositions from non-administrative users
Implement file integrity monitoring (FIM) on critical Samba shares to detect unexpected file modifications
Review Samba configuration files for acl_xattr:ignore system acls = yes settings to identify vulnerable deployments
Monitor for authentication events followed by file size changes to 0 bytes

Monitoring Recommendations

Configure Samba's full_audit VFS module to log all file operations including create dispositions
Set up alerts for file truncation events on sensitive directories
Implement periodic file size baseline comparisons for critical data
Review SMB traffic logs for patterns indicating exploitation attempts

How to Mitigate CVE-2023-4091

Immediate Actions Required

Update Samba to the latest patched version immediately
Review and reconfigure any shares using acl_xattr:ignore system acls = yes to use proper system ACL enforcement
Audit file shares for any evidence of unauthorized file truncation
Consider temporarily disabling the acl_xattr module until patches are applied

Patch Information

Security patches are available from Samba and various Linux distributions. Consult the Samba Security Advisory for CVE-2023-4091 for official patch information.

Distribution-specific updates are available:

Red Hat: Multiple advisories including RHSA-2023:6209, RHSA-2023:6744, RHSA-2023:7371, RHSA-2023:7408, RHSA-2023:7464, and RHSA-2023:7467
Fedora: Updates available via the Fedora Package Announcement
Debian: See Debian LTS Announcement
NetApp: Refer to NetApp Security Advisory NTAP-20231124-0002

Workarounds

Remove or change the acl_xattr:ignore system acls = yes configuration option to restore kernel-level permission enforcement
Implement network-level access controls to limit SMB access to trusted systems only
Use file system-level immutable flags on critical files as an additional protection layer
Consider implementing Samba's veto files option to protect sensitive files from modification

bash

# Configuration example - Disable vulnerable ACL bypass in smb.conf
# Locate the share configuration and remove or comment out the vulnerable setting:
# [share_name]
#   vfs objects = acl_xattr
#   acl_xattr:ignore system acls = no  # Changed from 'yes' to 'no'

# Alternative: Remove the ignore system acls directive entirely
# and let Samba use standard kernel permission checks

# To verify current configuration:
testparm -s | grep -i "ignore system acls"

# After modifying smb.conf, restart Samba:
systemctl restart smbd

CVE-2023-4091: Samba Auth Bypass Vulnerability

CVE-2023-4091 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-4091

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-4091

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-4091

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform

CVE-2023-4091: Samba Auth Bypass Vulnerability

CVE-2023-4091 Overview

Critical Impact

Affected Products

Discovery Timeline

Technical Details for CVE-2023-4091

Vulnerability Analysis

Root Cause

Attack Vector

Detection Methods for CVE-2023-4091

Indicators of Compromise

Detection Strategies

Monitoring Recommendations

How to Mitigate CVE-2023-4091

Immediate Actions Required

Patch Information

Workarounds

Experience the World’s Most Advanced Cybersecurity Platform