Multiple race conditions in the (1) mount.cifs and (2) umount.cifs programs in Samba 3.6 allow local users to cause a denial of service (mounting outage) via a SIGKILL signal during a time window when the /etc/mtab~ file exists.
Local users can exploit a race condition vulnerability in Samba's mount.cifs and umount.cifs utilities, leading to a denial-of-service (DoS) condition. This allows attackers to disrupt network file shares by triggering a mounting outage, impacting critical file access and potentially causing data loss or service unavailability.
Step 1: Mount Initiation: A local user initiates a mount operation using mount.cifs.
Step 2: Temporary File Creation: mount.cifs creates a temporary file, /etc/mtab~, as part of the mount process.
Step 3: Signal Injection: The attacker sends a SIGKILL signal to the mount.cifs or umount.cifs process during the brief window when /etc/mtab~ exists.
Step 4: Process Termination: The SIGKILL signal abruptly terminates the process, potentially before it can complete its operations.
Step 5: Inconsistent State: The abrupt termination leaves the system in an inconsistent state. The /etc/mtab file may be corrupted or incomplete, preventing subsequent mount or unmount operations.
Step 6: Denial of Service: Subsequent attempts to mount or unmount CIFS shares fail, resulting in a DoS condition.
The vulnerability stems from a race condition within Samba's mount.cifs and umount.cifs utilities. Specifically, the issue arises during the creation and handling of the temporary /etc/mtab~ file. The utilities do not properly synchronize access to this file, creating a window of opportunity where a SIGKILL signal can interrupt the process. This interruption can leave the system in an inconsistent state, preventing subsequent mounting or unmounting operations, effectively causing a DoS. The root cause is a lack of proper locking or atomic operations when updating the /etc/mtab file, which is used to track mounted file systems. The vulnerability is exacerbated by the use of signals, which can interrupt operations at any point.