=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2009/VULN001
_____________________________________________________________________

DATE                      : 07/01/2009

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Samba versions 3.2.0 up to
                                       including 3.2.6.

======================================================================
http://www.samba.org/samba/security/CVE-2009-0022.html
______________________________________________________________________

==========================================================
== Subject:     Potential access to "/" in setups with
==		registry shares enabled
==
== CVE ID#:    	CVE-2009-0022
==
== Versions:    Samba 3.2.0 - 3.2.6 (inclusive)
==
== Summary:     In setups with registry shares enabled,
==		access to the root filesystem ("/") is granted
==		when connecting to a share called "" (empty string)
==		using old versions of smbclient.
==
==========================================================

===========
Description
===========

When connecting to a share called "" (empty string) using an older
version of smbclient (before 3.0.28) for example with:

      'smbclient //server/ -U user%pass'

access to the root filesystem is granted with the privileges of the
authenticated user. This only happens in setups with registry shares
enabled by setting "registry shares = yes" which is implicitly set with
"include = registry" and "config backend = registry",
but is not the default.


==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 3.2.7 has been issued as a security
release to correct the defect. Samba administrators are
advised to upgrade to 3.2.7 or apply the patch as soon
as possible when "registry shares" is set to "yes".


==========
Workaround
==========

As a workaround, registry shares can be disabled using "registry shares = no".


=======
Credits
=======

This issue was found and reported to the Samba Team by
Gunter Höckel <Gunter.Hoeckel [at] fujitsu-siemens.com>.


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================