Vulnerability Details : CVE-2023-3961
A path traversal vulnerability was identified in Samba when processing client pipe names connecting to Unix domain sockets within a private directory. Samba typically uses this mechanism to connect SMB clients to remote procedure call (RPC) services like SAMR LSA or SPOOLSS, which Samba initiates on demand. However, due to inadequate sanitization of incoming client pipe names, allowing a client to send a pipe name containing Unix directory traversal characters (../). This could result in SMB clients connecting as root to Unix domain sockets outside the private directory. If an attacker or client managed to send a pipe name resolving to an external service using an existing Unix domain socket, it could potentially lead to unauthorized access to the service and consequential adverse events, including compromise or service crashes.
Vulnerability category: Directory traversalBypass
Products affected by CVE-2023-3961
- cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
- cpe:2.3:o:redhat:enterprise_linux_eus:9.0:*:*:*:*:*:*:*
- cpe:2.3:a:redhat:storage:3.0:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
- cpe:2.3:o:fedoraproject:fedora:39:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2023-3961
0.19%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 57 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2023-3961
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
9.8
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
3.9
|
5.9
|
NIST | |
6.5
|
MEDIUM | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:L |
2.2
|
4.2
|
Red Hat, Inc. | |
9.1
|
CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H |
3.9
|
5.2
|
Red Hat, Inc. | 2024-01-02 |
CWE ids for CVE-2023-3961
-
The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.Assigned by:
- nvd@nist.gov (Primary)
- secalert@redhat.com (Secondary)
References for CVE-2023-3961
-
https://www.samba.org/samba/security/CVE-2023-3961.html
Samba - Security Announcement ArchiveVendor Advisory
-
https://access.redhat.com/errata/RHSA-2023:6744
RHSA-2023:6744 - Security Advisory - Red Hat 客户门户网站Third Party Advisory
-
https://security.netapp.com/advisory/ntap-20231124-0002/
October 2023 Samba Vulnerabilities in NetApp Products | NetApp Product Security
-
https://bugzilla.samba.org/show_bug.cgi?id=15422
15422 – (CVE-2023-3961) CVE-2023-3961 [SECURITY] Unsanitized client pipe name passed to local_np_connect()Exploit;Issue Tracking
-
https://access.redhat.com/errata/RHSA-2023:6209
RHSA-2023:6209 - Security Advisory - Red Hat Customer PortalThird Party Advisory
-
https://access.redhat.com/errata/RHSA-2023:7371
RHSA-2023:7371 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7464
RHSA-2023:7464 - Security Advisory - Red Hat Customer Portal
-
https://access.redhat.com/errata/RHSA-2023:7467
RHSA-2023:7467 - Security Advisory - Red Hat Customer Portal
-
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I/
[SECURITY] Fedora 39 Update: samba-4.19.2-1.fc39 - package-announce - Fedora Mailing-ListsMailing List
-
https://access.redhat.com/security/cve/CVE-2023-3961
CVE-2023-3961- Red Hat Customer PortalThird Party Advisory
-
https://bugzilla.redhat.com/show_bug.cgi?id=2241881
2241881 – (CVE-2023-3961) CVE-2023-3961 samba: smbd allows client access to unix domain sockets on the file system as rootIssue Tracking
-
https://access.redhat.com/errata/RHSA-2023:7408
RHSA-2023:7408 - Security Advisory - Red Hat Customer Portal
Jump to