CVE-2019-3870 in Samba
Summary
by MITRE
A vulnerability was found in Samba from version (including) 4.9 to versions before 4.9.6 and 4.10.2. During the creation of a new Samba AD DC, files are created in a private subdirectory of the install location. This directory is typically mode 0700, that is owner (root) only access. However in some upgraded installations it will have other permissions, such as 0755, because this was the default before Samba 4.8. Within this directory, files are created with mode 0666, which is world-writable, including a sample krb5.conf, and the list of DNS names and servicePrincipalName values to update.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 01/25/2026
The vulnerability described in CVE-2019-3870 represents a critical privilege escalation issue within Samba Active Directory Domain Controller implementations. This flaw affects Samba versions from 4.9.0 through 4.10.1, creating a dangerous situation where newly created files in the private subdirectory of Samba installations are accessible to all users on the system. The vulnerability stems from improper file permission handling during the Samba AD DC initialization process, where files are created with world-writable permissions despite being located in directories that should be restricted to root access only.
The technical implementation of this vulnerability involves the creation of sensitive configuration files with overly permissive mode 0666 permissions, which allows any user on the system to modify these files. Specifically, the sample krb5.conf file and the DNS names and servicePrincipalName values list are created with these dangerous permissions, making them potential attack vectors for privilege escalation. This issue is particularly concerning because it occurs in the installation directory of Samba AD DC, which contains critical authentication and service configuration data. The root cause of this problem is the change in default permissions between Samba versions 4.7 and 4.8, where the private directory's default permissions were changed from 0700 to 0755, creating a window where upgraded installations retain these less secure permissions.
The operational impact of this vulnerability extends beyond simple privilege escalation to encompass potential domain compromise and lateral movement within networks. An attacker with access to a low-privilege user account could exploit this vulnerability to modify the krb5.conf file, potentially redirecting Kerberos authentication requests to malicious servers. Additionally, modifying the DNS names and servicePrincipalName values could disrupt service availability or enable man-in-the-middle attacks against authentication services. This vulnerability directly maps to CWE-732: Incorrect Permission Assignment for Critical Resource, which specifically addresses situations where critical system resources are given insecure permissions. The attack vector aligns with ATT&CK technique T1068: Exploitation for Privilege Escalation, as it allows attackers to gain elevated privileges through the manipulation of system files with insecure permissions.
The remediation strategy for this vulnerability involves upgrading Samba installations to versions 4.9.6 or 4.10.2, which contain the necessary patches to address the file permission handling issue. System administrators should also conduct thorough audits of existing Samba installations to identify any upgraded systems that may retain the insecure 0755 permissions on the private subdirectory. Additional mitigations include implementing proper file system monitoring to detect unauthorized changes to sensitive configuration files and ensuring that system administrators regularly review and validate file permissions on critical system directories. Organizations should also consider implementing principle of least privilege concepts for Samba service accounts and regularly review access controls to prevent unauthorized modification of authentication-related files. The vulnerability demonstrates the critical importance of maintaining proper file system permissions in enterprise authentication systems and highlights the risks associated with legacy upgrade paths that retain insecure default configurations.