Network Security, Patch/Configuration Management, Vulnerability Management

Samba updates eliminate pair of vulnerabilities

The development team behind Samba issued software updates yesterday in order to patch a pair of vulnerabilities in the free re-implementation of the SMB networking protocol.

The first vulnerability, CVE-2019-3870, occurs in Samba versions 4.9.x upon the provisioning of a new Active Directory domain controller. During this process, some files in the private/ directory are created such that they are world-writable. Discovered by BjÃjrn Baumbach of the Samba Team and SerNet, the flaw is remedied by Samba releases 4.9.6 and 4.10.2.

These same two software releases also fix a second bug, CVE-2019-3880, which was found in all versions of Samba since 3.2.0. Reported by Michael Hanselmann, this problem can allow authenticated users with write permissions to "trigger a symlink traversal to write or detect files outside the Samba share," according to Samba developers.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.