CVE-2023-4091

Samba: smb clients can truncate files with read-only permissions

Description

A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.

Remediation

Workaround:

  • The vulnerability is most commonly associated with the "acl_xattr" module and can be mitigated by setting: ~~~ "acl_xattr:ignore system acls = no" ~~~

Category

6.5
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.48%
Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory redhat.com Vendor Advisory samba.org
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9
Affected: Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support
Affected: Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support
Affected: Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8
Affected: Red Hat Red Hat Enterprise Linux 6
Affected: Red Hat Red Hat Enterprise Linux 6
Affected: Red Hat Red Hat Enterprise Linux 7
Affected: Red Hat Red Hat Storage 3
Published at:
Updated at:

References

Link Tags
https://access.redhat.com/errata/RHSA-2023:6209 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:6744 third party advisory vendor advisory
https://access.redhat.com/errata/RHSA-2023:7371 vendor advisory
https://access.redhat.com/errata/RHSA-2023:7408 vendor advisory
https://access.redhat.com/errata/RHSA-2023:7464 vendor advisory
https://access.redhat.com/errata/RHSA-2023:7467 vendor advisory
https://access.redhat.com/security/cve/CVE-2023-4091 vdb entry third party advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2241882 issue tracking
https://bugzilla.samba.org/show_bug.cgi?id=15439 issue tracking
https://www.samba.org/samba/security/CVE-2023-4091.html vendor advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/ZUMVALLFFDFC53JZMUWA6HPD7HUGAP5I/
https://security.netapp.com/advisory/ntap-20231124-0002/

Frequently Asked Questions

What is the severity of CVE-2023-4091?
CVE-2023-4091 has been scored as a medium severity vulnerability.
How to fix CVE-2023-4091?
As a workaround for remediating CVE-2023-4091: The vulnerability is most commonly associated with the "acl_xattr" module and can be mitigated by setting: ~~~ "acl_xattr:ignore system acls = no" ~~~
Is CVE-2023-4091 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2023-4091 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2023-4091?
CVE-2023-4091 affects Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 8.6 Extended Update Support, Red Hat Red Hat Enterprise Linux 8.8 Extended Update Support, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9, Red Hat Red Hat Enterprise Linux 9.0 Extended Update Support, Red Hat Red Hat Enterprise Linux 9.2 Extended Update Support, Red Hat Red Hat Virtualization 4 for Red Hat Enterprise Linux 8, Red Hat Red Hat Enterprise Linux 6, Red Hat Red Hat Enterprise Linux 6, Red Hat Red Hat Enterprise Linux 7, Red Hat Red Hat Storage 3.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.