CVE-2023-4091 in Samba
Summary
by MITRE • 11/03/2023
A vulnerability was discovered in Samba, where the flaw allows SMB clients to truncate files, even with read-only permissions when the Samba VFS module "acl_xattr" is configured with "acl_xattr:ignore system acls = yes". The SMB protocol allows opening files when the client requests read-only access but then implicitly truncates the opened file to 0 bytes if the client specifies a separate OVERWRITE create disposition request. The issue arises in configurations that bypass kernel file system permissions checks, relying solely on Samba's permissions.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/18/2025
The vulnerability identified as CVE-2023-4091 represents a critical access control flaw within the Samba file sharing implementation that undermines fundamental security assumptions about file permissions and integrity. This weakness specifically affects systems where the Samba Virtual File System (VFS) module named "acl_xattr" is configured with the parameter "acl_xattr:ignore system acls = yes", creating a dangerous scenario where file truncation can occur regardless of traditional permission models. The flaw demonstrates a fundamental misalignment between expected security boundaries and actual operational behavior, where read-only access permissions are effectively bypassed through a specific combination of client requests and server configuration parameters.
The technical mechanism underlying this vulnerability involves the interaction between SMB protocol semantics and Samba's internal permission handling. When an SMB client opens a file with read-only access permissions but subsequently issues a separate OVERWRITE create disposition request, the server's handling of this sequence creates an implicit file truncation operation. This occurs because the Samba VFS module, when configured to ignore system ACLs, fails to properly validate that the client has write permissions before executing the truncation operation. The vulnerability exploits the fact that Samba's permission model can be circumvented when relying solely on its own access control mechanisms rather than kernel-level file system checks, which creates a pathway for unauthorized file modification through seemingly legitimate operations.
The operational impact of CVE-2023-4091 extends beyond simple file corruption, representing a potential vector for data destruction and information disclosure within networked environments. Attackers can leverage this vulnerability to silently truncate critical files to zero bytes, effectively destroying data without leaving obvious traces in system logs or audit trails. The flaw particularly affects environments where Samba serves as a primary file sharing service and where administrators have configured the problematic VFS module settings to simplify access control management. Organizations running Samba servers with this specific configuration are at risk of unauthorized data deletion, system instability, and potential compliance violations when sensitive files are compromised through this bypass mechanism.
Security mitigations for CVE-2023-4091 require immediate configuration changes to address the root cause within the Samba implementation. The primary recommendation involves modifying the Samba configuration to either disable the problematic "acl_xattr:ignore system acls = yes" setting or to implement proper access control validation before allowing file truncation operations. System administrators should also consider implementing additional monitoring and logging controls to detect anomalous file access patterns that might indicate exploitation attempts. Organizations should conduct comprehensive vulnerability assessments to identify all Samba installations with the affected configuration parameters and apply patches or configuration changes as recommended by the Samba project. This vulnerability aligns with CWE-284, which addresses improper access control, and represents a significant concern from the ATT&CK framework perspective under the T1485 category for data destruction, as it enables unauthorized modification of critical system files through legitimate protocol interactions.