Operating System:

[UNIX/Linux]

Published:

31 January 2013

Protect yourself against future threats.

//Service

Sensitive Information Alert

Alert notification provided via email for sensitive material found online by our analyst team which specifically targets your organisation.

Read more
Resources > Security Bulletins > ESB-2013.0130 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2013.0130
 Two vulnerabilities have been identified in Samba Web Administration Tool
                              31 January 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Samba Web Administration Tool
Publisher:         The Samba Team
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Cross-site Request Forgery     -- Remote with User Interaction
                   Provide Misleading Information -- Remote with User Interaction
Resolution:        Patch/Upgrade
CVE Names:         CVE-2031-0213 CVE-2013-0214 

Original Bulletin: 
   http://www.samba.org/samba/security/CVE-2013-0213
   http://www.samba.org/samba/security/CVE-2013-0214

Comment: This bulletin contains two (2) Samba security advisories.

- --------------------------BEGIN INCLUDED TEXT--------------------

===========================================================
== Subject:     Clickjacking in SWAT
==
== CVE ID#:     CVE-2031-0213
==
== Versions:    Samba 3.0.x - 4.0.1 (inclusive)
==
== Summary:     The Samba Web Administration Tool (SWAT) in Samba versions
==              3.0.x to 4.0.1 could possibly be used in clickjacking attacks.
==
==              Note that SWAT must be enabled in order for this
==              vulnerability to be exploitable. By default, SWAT
==              is *not* enabled on a Samba install.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to clickjacking in the
Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into
a malicious web page via a frame or iframe and then overlaid by other content,
an attacker could trick an administrator to potentially change Samba settings.

In order to be vulnerable, SWAT must have been installed and enabled
either as a standalone server launched from inetd or xinetd, or as a
CGI plugin to Apache. If SWAT has not been installed or enabled (which
is the default install state for Samba) this advisory can be ignored.

==========
Workaround
==========

Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.

==================
Patch Availability
==================

Patches addressing this defect have been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security
releases to correct the defect.  Samba administrators running affected versions
are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as
possible.

=======
Credits
=======

The vulnerability was discovered and reported to the Samba Team by Jann Horn.
The patches for all Samba versions were written and tested by Kai Blin
(kai@samba.org).


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

===========================================================
== Subject:     Cross-Site Request Forgery in SWAT
==
== CVE ID#:     CVE-2013-0214
==
== Versions:    Samba 3.0.x - 4.0.1 (inclusive)
==
== Summary:     The Samba Web Administration Tool (SWAT) in Samba versions
==              3.0.x to 4.0.1 are affected by a cross-site request forgery.
==
==              Note that SWAT must be enabled AND the user's password be known
==              in order for this vulnerability to be exploitable. By default,
==              SWAT is *not* enabled on a Samba install.
==
===========================================================

===========
Description
===========

All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user's password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.

In order to be vulnerable, the attacker needs to know the victim's password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.

If the user authenticated to SWAT as root AND the attacker knows the user's root
password, it is possible to shut down or start the samba daemons, add or remove
shares, printers and user accounts and to change other aspects of the Samba
configuration.

The Samba Team considers that if the attacker knows the root password, that
security has already been breached, but is patching this issue in 4.0.2 out of
an abundance of caution, as we are already patching another SWAT issue with this
release.

==========
Workaround
==========

Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.

==================
Patch Availability
==================

Patches addressing this defect have been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security
releases to correct the defect.  Samba administrators running affected versions
are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as
possible.

=======
Credits
=======

The vulnerability was discovered and reported to the Samba Team by Jann Horn.
The patches for all Samba versions were written and tested by Kai Blin
(kai@samba.org).


==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUQnvte4yVqjM2NGpAQJRFA//QjoeB5kU1QXfwXSdwCZu/5dVORoxjQOf
HsivPDawamlEcqE5QR8Xo4vb3me9LZWpfJl6eoMejm9SHtJYr9j2hoVkL5JmNy1e
8TM+3KpdZBvs8c804481Ft7docEf0K6SheR4TphkjNo3/ymJE/P4A5uEoyLBnq/S
QJAO8UO5me2Pk/qk4XV9lm61xZrAY6i5fP7p8W8u6+RfbeotOr5KnrzJNZ2POZG3
afOUchr7uCZ74JQDU+ViJnWnbntsoyodVg5nFh2QTABZTV9dFE/g2fpt6n6+/vHU
b+AVcRy9tz6cuQ4svdUTs1D3sA6MObjxg13JriC/+ntJWfZy5G2zwaKpF5U8nLy8
Lluo4SW/DphadSQHFvWMxhfrddo5MgSHrTq1ymVXbvXjNpfxkmpWtl27p9WLSJxy
oM3M9mekEs1VrKw9FzrrXSqdJZHade854kQzwxU3hql6MskWxHPHRW7KAcHZ7Fzq
V5V6iVI+mFTZSdh6GmtUySu6JG2Hen/PQEDVdOYyxlq7MhqjzjdHzYDzZirh2xD4
YrEqd13OVFCrNZ6zqqefl2oZdu/Pz080M67qAq7KOaR5KKgwO4jlfMfBZLFmHIze
g/VFamcc0CqtcbPazOaZvvtOBH1VDuKnlEfuJI8SYbOqk273grHckO9cRbz663JG
ny4R4YHRwTM=
=+JLK
-----END PGP SIGNATURE-----