========================================================== == Subject: Potential access to "/" in setups with == registry shares enabled == == CVE ID#: CVE-2009-0022 == == Versions: Samba 3.2.0 - 3.2.6 (inclusive) == == Summary: In setups with registry shares enabled, == access to the root filesystem ("/") is granted == when connecting to a share called "" (empty string) == using old versions of smbclient. == ========================================================== =========== Description =========== When connecting to a share called "" (empty string) using an older version of smbclient (before 3.0.28) for example with: 'smbclient //server/ -U user%pass' access to the root filesystem is granted with the privileges of the authenticated user. This only happens in setups with registry shares enabled by setting "registry shares = yes" which is implicitly set with "include = registry" and "config backend = registry", but is not the default. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 3.2.7 has been issued as a security release to correct the defect. Samba administrators are advised to upgrade to 3.2.7 or apply the patch as soon as possible when "registry shares" is set to "yes". ========== Workaround ========== As a workaround, registry shares can be disabled using "registry shares = no". ======= Credits ======= This issue was found and reported to the Samba Team by Gunter Höckel <Gunter.Hoeckel [at] fujitsu-siemens.com>. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================