Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2013.0130 Two vulnerabilities have been identified in Samba Web Administration Tool 31 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Samba Web Administration Tool Publisher: The Samba Team Operating System: UNIX variants (UNIX, Linux, OSX) Impact/Access: Cross-site Request Forgery -- Remote with User Interaction Provide Misleading Information -- Remote with User Interaction Resolution: Patch/Upgrade CVE Names: CVE-2031-0213 CVE-2013-0214 Original Bulletin: http://www.samba.org/samba/security/CVE-2013-0213 http://www.samba.org/samba/security/CVE-2013-0214 Comment: This bulletin contains two (2) Samba security advisories. - --------------------------BEGIN INCLUDED TEXT-------------------- =========================================================== == Subject: Clickjacking in SWAT == == CVE ID#: CVE-2031-0213 == == Versions: Samba 3.0.x - 4.0.1 (inclusive) == == Summary: The Samba Web Administration Tool (SWAT) in Samba versions == 3.0.x to 4.0.1 could possibly be used in clickjacking attacks. == == Note that SWAT must be enabled in order for this == vulnerability to be exploitable. By default, SWAT == is *not* enabled on a Samba install. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to clickjacking in the Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into a malicious web page via a frame or iframe and then overlaid by other content, an attacker could trick an administrator to potentially change Samba settings. In order to be vulnerable, SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored. ========== Workaround ========== Ensure SWAT is turned off and configure Samba using an alternative method to edit the smb.conf file. ================== Patch Availability ================== Patches addressing this defect have been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security releases to correct the defect. Samba administrators running affected versions are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as possible. ======= Credits ======= The vulnerability was discovered and reported to the Samba Team by Jann Horn. The patches for all Samba versions were written and tested by Kai Blin (kai@samba.org). ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== =========================================================== == Subject: Cross-Site Request Forgery in SWAT == == CVE ID#: CVE-2013-0214 == == Versions: Samba 3.0.x - 4.0.1 (inclusive) == == Summary: The Samba Web Administration Tool (SWAT) in Samba versions == 3.0.x to 4.0.1 are affected by a cross-site request forgery. == == Note that SWAT must be enabled AND the user's password be known == in order for this vulnerability to be exploitable. By default, == SWAT is *not* enabled on a Samba install. == =========================================================== =========== Description =========== All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. In order to be vulnerable, the attacker needs to know the victim's password. Additionally SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored. If the user authenticated to SWAT as root AND the attacker knows the user's root password, it is possible to shut down or start the samba daemons, add or remove shares, printers and user accounts and to change other aspects of the Samba configuration. The Samba Team considers that if the attacker knows the root password, that security has already been breached, but is patching this issue in 4.0.2 out of an abundance of caution, as we are already patching another SWAT issue with this release. ========== Workaround ========== Ensure SWAT is turned off and configure Samba using an alternative method to edit the smb.conf file. ================== Patch Availability ================== Patches addressing this defect have been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security releases to correct the defect. Samba administrators running affected versions are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as possible. ======= Credits ======= The vulnerability was discovered and reported to the Samba Team by Jann Horn. The patches for all Samba versions were written and tested by Kai Blin (kai@samba.org). ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/render.html?cid=1980 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUQnvte4yVqjM2NGpAQJRFA//QjoeB5kU1QXfwXSdwCZu/5dVORoxjQOf HsivPDawamlEcqE5QR8Xo4vb3me9LZWpfJl6eoMejm9SHtJYr9j2hoVkL5JmNy1e 8TM+3KpdZBvs8c804481Ft7docEf0K6SheR4TphkjNo3/ymJE/P4A5uEoyLBnq/S QJAO8UO5me2Pk/qk4XV9lm61xZrAY6i5fP7p8W8u6+RfbeotOr5KnrzJNZ2POZG3 afOUchr7uCZ74JQDU+ViJnWnbntsoyodVg5nFh2QTABZTV9dFE/g2fpt6n6+/vHU b+AVcRy9tz6cuQ4svdUTs1D3sA6MObjxg13JriC/+ntJWfZy5G2zwaKpF5U8nLy8 Lluo4SW/DphadSQHFvWMxhfrddo5MgSHrTq1ymVXbvXjNpfxkmpWtl27p9WLSJxy oM3M9mekEs1VrKw9FzrrXSqdJZHade854kQzwxU3hql6MskWxHPHRW7KAcHZ7Fzq V5V6iVI+mFTZSdh6GmtUySu6JG2Hen/PQEDVdOYyxlq7MhqjzjdHzYDzZirh2xD4 YrEqd13OVFCrNZ6zqqefl2oZdu/Pz080M67qAq7KOaR5KKgwO4jlfMfBZLFmHIze g/VFamcc0CqtcbPazOaZvvtOBH1VDuKnlEfuJI8SYbOqk273grHckO9cRbz663JG ny4R4YHRwTM= =+JLK -----END PGP SIGNATURE-----