The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Samba: two vulnerabilities of SWAT

Synthesis of the vulnerability

An attacker can use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Severity of this alert: 2/4.
Number of vulnerabilities in this bulletin: 2.
Creation date: 27/07/2011.
Références of this alert: 8289, 8290, 8347, BID-48899, BID-48901, c03297338, CERTA-2011-AVI-416, CERTA-2011-AVI-493, CERTA-2012-AVI-232, CVE-2011-2522, CVE-2011-2694, DSA-2290-1, FEDORA-2011-10341, FEDORA-2011-10367, HPSBUX02768, MDVSA-2011:121, openSUSE-SU-2011:0998-1, RHSA-2011:1219-01, RHSA-2011:1220-01, RHSA-2011:1221-01, SSA:2011-210-03, SSRT100664, SUSE-SU-2011:0981-1, SUSE-SU-2011:0999-1, SUSE-SU-2011:1001-1, SUSE-SU-2011:1002-1, VIGILANCE-VUL-10871.

Description of the vulnerability

The Samba server can be administered via the SWAT (Samba Web Administration Tool) web interface, which is not enabled by default. Two vulnerabilities impact SWAT.

The SWAT web site does not use session tokens. When an administrator if connected to SWAT, an attacker can thus invite him to display an HTML page containing images with special urls. When images are loaded, these urls do administration operations. As SWAT does not check if these urls belong to the administrator session, administration operations are directly done. [severity:2/4; 8290, BID-48899, CERTA-2011-AVI-416, CERTA-2012-AVI-232, CVE-2011-2522]

The SWAT web site uses the SWAT_USER ("username") variable to indicate the name of the current user. The chg_passwd() function of the source/web/swat.c file changes the password of the user. However, this function directly displays the name of the user stored in the SWAT_USER variable. If a username given as parameter contains JavaScript code, the generated HTML page thus also contains this JavaScript code. [severity:2/4; 8289, BID-48901, CVE-2011-2694]

An attacker can therefore use two vulnerabilities of Samba Web Administration Tool, in order to create a Cross Site Request Forgery and a Cross Site Scripting.
Full Vigil@nce bulletin... (Free trial)

This computer weakness alert impacts software or systems such as Debian, Fedora, HP-UX, Mandriva Linux, NLD, OES, openSUSE, Solaris, RHEL, Samba, Slackware, SUSE Linux Enterprise Desktop, SLES, ESX.

Our Vigil@nce team determined that the severity of this weakness note is medium.

The trust level is of type confirmed by the editor, with an origin of document.

This bulletin is about 2 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this weakness bulletin.

Solutions for this threat

Samba: version 3.5.10.
The version 3.5.10 is corrected:
  http://download.samba.org/samba/ftp/stable
To install it on HP-UX, AIX and OSF, the following patch is required (because atoll() does not exist):
  https://bugzilla.samba.org/attachment.cgi?id=6761

Samba: version 3.4.14.
The version 3.4.14 is corrected:
  http://download.samba.org/samba/ftp/stable
To install it on HP-UX, AIX and OSF, the following patch is required (because atoll() does not exist):
  https://bugzilla.samba.org/attachment.cgi?id=6762
The version 3.4.15 is corrected now:
  http://download.samba.org/samba/ftp/stable

Samba: version 3.3.16.
The version 3.3.16 is corrected:
  http://download.samba.org/samba/ftp/stable
To install it on HP-UX, AIX and OSF, the following patch is required (because atoll() does not exist):
  https://attachments.samba.org/attachment.cgi?id=6765

Debian: new samba packages.
New packages are available:
  samba 2:3.2.5-4lenny15
  samba 2:3.5.6~dfsg-3squeeze5

Fedora: new samba packages.
New packages are available:
  samba-3.5.11-79.fc14
  samba-3.5.11-71.fc15.1

HP-UX: CIFS Server version A.02.04.05 and A.03.01.04.
The following versions are corrected:
  HP-UX B.11.11 : A.02.04.05
  HP-UX B.11.23 : A.02.04.05 or A.03.01.04
  HP-UX B.11.31 : A.02.04.05 or A.03.01.04
http://software.hp.com/

Mandriva: new samba packages.
New packages are available:
  samba-3.3.12-0.6mdv2009.0
  samba-3.5.3-3.3mdv2010.2
  samba-3.0.37-0.7.20060mlcs4
  samba-3.3.12-0.6mdvmes5.2

RHEL 4, 5: new samba packages.
New packages are available:
  samba-3.0.33-0.34.el4
  samba-3.0.33-3.29.el5_7.4

RHEL 5: new samba3x packages.
New packages are available:
  samba3x-3.5.4-0.83.el5_7.2

RHEL 6.1: new samba and cifs-utils packages.
New packages are available:
  samba-*-3.5.6-86.el6_1.4
  cifs-utils-4.8.1-2.el6_1.2

Slackware: new samba packages.
New packages are available:
ftp://ftp.slackware.com/pub/slackware/slackware-13.1/patches/packages/samba-3.5.10-i486-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.1/patches/packages/samba-3.5.10-x86_64-1_slack13.1.txz
ftp://ftp.slackware.com/pub/slackware/slackware-13.37/patches/packages/samba-3.5.10-i486-1_slack13.37.txz
ftp://ftp.slackware.com/pub/slackware/slackware64-13.37/patches/packages/samba-3.5.10-x86_64-1_slack13.37.txz

Solaris: patch for Samba.
A patch is available:
  Solaris 9:
    SPARC: 114684-18
    x86: 114685-18
  Solaris 10
    SPARC: 119757-21
    X86: 119758-21

SUSE: new Samba packages.
New packages are available, as indicated in information sources.

VMware ESX 4.1: patch ESX410-201201001.
A patch is available:
  ESX410-201201001
  http://downloads.vmware.com/go/selfsupport-download
  http://kb.vmware.com/kb/2009142
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides applications vulnerabilities patches. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.