ID CVE-2011-2522
Summary Multiple cross-site request forgery (CSRF) vulnerabilities in the Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.10 allow remote attackers to hijack the authentication of administrators for requests that (1) shut down daemons, (2) start daemons, (3) add shares, (4) remove shares, (5) add printers, (6) remove printers, (7) add user accounts, or (8) remove user accounts, as demonstrated by certain start, stop, and restart parameters to the status program.
References
Vulnerable Configurations
  • Samba 3.0.0
    cpe:2.3:a:samba:samba:3.0.0
  • Samba 3.0.1
    cpe:2.3:a:samba:samba:3.0.1
  • Samba 3.0.2
    cpe:2.3:a:samba:samba:3.0.2
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2:a
  • Samba 3.0.2a
    cpe:2.3:a:samba:samba:3.0.2a
  • Samba 3.0.3
    cpe:2.3:a:samba:samba:3.0.3
  • Samba 3.0.4
    cpe:2.3:a:samba:samba:3.0.4
  • Samba 3.0.4 release candidate 1
    cpe:2.3:a:samba:samba:3.0.4:rc1
  • Samba 3.0.5
    cpe:2.3:a:samba:samba:3.0.5
  • Samba 3.0.6
    cpe:2.3:a:samba:samba:3.0.6
  • Samba 3.0.7
    cpe:2.3:a:samba:samba:3.0.7
  • Samba 3.0.8
    cpe:2.3:a:samba:samba:3.0.8
  • Samba 3.0.9
    cpe:2.3:a:samba:samba:3.0.9
  • Samba 3.0.10
    cpe:2.3:a:samba:samba:3.0.10
  • Samba 3.0.11
    cpe:2.3:a:samba:samba:3.0.11
  • Samba 3.0.12
    cpe:2.3:a:samba:samba:3.0.12
  • Samba 3.0.13
    cpe:2.3:a:samba:samba:3.0.13
  • Samba 3.0.14
    cpe:2.3:a:samba:samba:3.0.14
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14:a
  • Samba 3.0.14a
    cpe:2.3:a:samba:samba:3.0.14a
  • Samba 3.0.15
    cpe:2.3:a:samba:samba:3.0.15
  • Samba 3.0.16
    cpe:2.3:a:samba:samba:3.0.16
  • Samba 3.0.17
    cpe:2.3:a:samba:samba:3.0.17
  • Samba 3.0.18
    cpe:2.3:a:samba:samba:3.0.18
  • Samba 3.0.19
    cpe:2.3:a:samba:samba:3.0.19
  • Samba 3.0.20
    cpe:2.3:a:samba:samba:3.0.20
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20:a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20:b
  • Samba 3.0.20a
    cpe:2.3:a:samba:samba:3.0.20a
  • Samba 3.0.20b
    cpe:2.3:a:samba:samba:3.0.20b
  • Samba 3.0.21
    cpe:2.3:a:samba:samba:3.0.21
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21:a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21:b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21:c
  • Samba 3.0.21a
    cpe:2.3:a:samba:samba:3.0.21a
  • Samba 3.0.21b
    cpe:2.3:a:samba:samba:3.0.21b
  • Samba 3.0.21c
    cpe:2.3:a:samba:samba:3.0.21c
  • Samba 3.0.22
    cpe:2.3:a:samba:samba:3.0.22
  • Samba 3.0.23
    cpe:2.3:a:samba:samba:3.0.23
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23:a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23:b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23:c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23:d
  • Samba 3.0.23a
    cpe:2.3:a:samba:samba:3.0.23a
  • Samba 3.0.23b
    cpe:2.3:a:samba:samba:3.0.23b
  • Samba 3.0.23c
    cpe:2.3:a:samba:samba:3.0.23c
  • Samba 3.0.23d
    cpe:2.3:a:samba:samba:3.0.23d
  • Samba 3.0.24
    cpe:2.3:a:samba:samba:3.0.24
  • Samba 3.0.25
    cpe:2.3:a:samba:samba:3.0.25
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25:a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25:b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25:c
  • Samba 3.0.25 pre1
    cpe:2.3:a:samba:samba:3.0.25:pre1
  • Samba 3.0.25 pre2
    cpe:2.3:a:samba:samba:3.0.25:pre2
  • Samba 3.0.25 release candidate 1
    cpe:2.3:a:samba:samba:3.0.25:rc1
  • Samba 3.0.25 release candiate 2
    cpe:2.3:a:samba:samba:3.0.25:rc2
  • Samba 3.0.25 release candidate 3
    cpe:2.3:a:samba:samba:3.0.25:rc3
  • Samba 3.0.25a
    cpe:2.3:a:samba:samba:3.0.25a
  • Samba 3.0.25b
    cpe:2.3:a:samba:samba:3.0.25b
  • Samba 3.0.25c
    cpe:2.3:a:samba:samba:3.0.25c
  • Samba 3.0.26
    cpe:2.3:a:samba:samba:3.0.26
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26:a
  • Samba 3.0.26a
    cpe:2.3:a:samba:samba:3.0.26a
  • Samba 3.0.27
    cpe:2.3:a:samba:samba:3.0.27
  • Samba 3.0.27a
    cpe:2.3:a:samba:samba:3.0.27:a
  • Samba 3.0.28
    cpe:2.3:a:samba:samba:3.0.28
  • Samba 3.0.28a
    cpe:2.3:a:samba:samba:3.0.28:a
  • Samba 3.0.29
    cpe:2.3:a:samba:samba:3.0.29
  • Samba 3.0.30
    cpe:2.3:a:samba:samba:3.0.30
  • Samba 3.0.31
    cpe:2.3:a:samba:samba:3.0.31
  • Samba 3.0.32
    cpe:2.3:a:samba:samba:3.0.32
  • Samba 3.0.33
    cpe:2.3:a:samba:samba:3.0.33
  • Samba 3.0.34
    cpe:2.3:a:samba:samba:3.0.34
  • Samba 3.0.35
    cpe:2.3:a:samba:samba:3.0.35
  • Samba 3.0.36
    cpe:2.3:a:samba:samba:3.0.36
  • Samba 3.0.37
    cpe:2.3:a:samba:samba:3.0.37
  • Samba 3.1.0
    cpe:2.3:a:samba:samba:3.1.0
  • Samba 3.2.0
    cpe:2.3:a:samba:samba:3.2.0
  • Samba 3.2.1
    cpe:2.3:a:samba:samba:3.2.1
  • Samba 3.2.2
    cpe:2.3:a:samba:samba:3.2.2
  • Samba 3.2.3
    cpe:2.3:a:samba:samba:3.2.3
  • Samba 3.2.4
    cpe:2.3:a:samba:samba:3.2.4
  • Samba 3.2.5
    cpe:2.3:a:samba:samba:3.2.5
  • Samba 3.2.6
    cpe:2.3:a:samba:samba:3.2.6
  • Samba 3.2.7
    cpe:2.3:a:samba:samba:3.2.7
  • Samba 3.2.8
    cpe:2.3:a:samba:samba:3.2.8
  • Samba 3.2.9
    cpe:2.3:a:samba:samba:3.2.9
  • Samba 3.2.10
    cpe:2.3:a:samba:samba:3.2.10
  • Samba 3.2.11
    cpe:2.3:a:samba:samba:3.2.11
  • Samba 3.2.12
    cpe:2.3:a:samba:samba:3.2.12
  • Samba 3.2.13
    cpe:2.3:a:samba:samba:3.2.13
  • Samba 3.2.14
    cpe:2.3:a:samba:samba:3.2.14
  • Samba 3.2.15
    cpe:2.3:a:samba:samba:3.2.15
  • Samba 3.3.0
    cpe:2.3:a:samba:samba:3.3.0
  • Samba 3.3.1
    cpe:2.3:a:samba:samba:3.3.1
  • Samba 3.3.2
    cpe:2.3:a:samba:samba:3.3.2
  • Samba 3.3.3
    cpe:2.3:a:samba:samba:3.3.3
  • Samba 3.3.4
    cpe:2.3:a:samba:samba:3.3.4
  • Samba 3.3.5
    cpe:2.3:a:samba:samba:3.3.5
  • Samba 3.3.6
    cpe:2.3:a:samba:samba:3.3.6
  • Samba 3.3.7
    cpe:2.3:a:samba:samba:3.3.7
  • Samba 3.3.8
    cpe:2.3:a:samba:samba:3.3.8
  • Samba 3.3.9
    cpe:2.3:a:samba:samba:3.3.9
  • Samba 3.3.10
    cpe:2.3:a:samba:samba:3.3.10
  • Samba 3.3.11
    cpe:2.3:a:samba:samba:3.3.11
  • Samba 3.3.12
    cpe:2.3:a:samba:samba:3.3.12
  • Samba 3.4.0
    cpe:2.3:a:samba:samba:3.4.0
  • Samba 3.4.1
    cpe:2.3:a:samba:samba:3.4.1
  • Samba 3.4.2
    cpe:2.3:a:samba:samba:3.4.2
  • Samba 3.4.3
    cpe:2.3:a:samba:samba:3.4.3
  • Samba 3.4.4
    cpe:2.3:a:samba:samba:3.4.4
  • Samba 3.4.5
    cpe:2.3:a:samba:samba:3.4.5
  • Samba 3.4.6
    cpe:2.3:a:samba:samba:3.4.6
  • Samba 3.4.7
    cpe:2.3:a:samba:samba:3.4.7
  • Samba 3.5.0
    cpe:2.3:a:samba:samba:3.5.0
  • Samba 3.5.1
    cpe:2.3:a:samba:samba:3.5.1
  • Samba 3.5.2
    cpe:2.3:a:samba:samba:3.5.2
  • Samba 3.5.3
    cpe:2.3:a:samba:samba:3.5.3
  • Samba 3.5.4
    cpe:2.3:a:samba:samba:3.5.4
  • Samba 3.5.5
    cpe:2.3:a:samba:samba:3.5.5
  • Samba 3.5.6
    cpe:2.3:a:samba:samba:3.5.6
  • Samba 3.5.7
    cpe:2.3:a:samba:samba:3.5.7
  • Samba 3.5.8
    cpe:2.3:a:samba:samba:3.5.8
  • Samba 3.5.9
    cpe:2.3:a:samba:samba:3.5.9
CVSS
Base: 6.8 (as of 01-08-2011 - 10:10)
Impact:
Exploitability:
CWE CWE-352
CAPEC
  • JSON Hijacking (aka JavaScript Hijacking)
    An attacker targets a system that uses JavaScript Object Notation (JSON) as a transport mechanism between the client and the server (common in Web 2.0 systems using AJAX) to steal possibly confidential information transmitted from the server back to the client inside the JSON object by taking advantage of the loophole in the browser's Same Origin Policy that does not prohibit JavaScript from one website to be included and executed in the context of another website. An attacker gets the victim to visit his or her malicious page that contains a script tag whose source points to the vulnerable system with a URL that requests a response from the server containing a JSON object with possibly confidential information. The malicious page also contains malicious code to capture the JSON object returned by the server before any other processing on it can take place, typically by overriding the JavaScript function used to create new objects. This hook allows the malicious code to get access to the creation of each object and transmit the possibly sensitive contents of the captured JSON object to the attackers' server. There is nothing in the browser's security model to prevent the attackers' malicious JavaScript code (originating from attacker's domain) to set up an environment (as described above) to intercept a JSON object response (coming from the vulnerable target system's domain), read its contents and transmit to the attackers' controlled site. The same origin policy protects the domain object model (DOM), but not the JSON.
  • Cross-Domain Search Timing
    An attacker initiates cross domain HTTP / GET requests and times the server responses. The timing of these responses may leak important information on what is happening on the server. Browser's same origin policy prevents the attacker from directly reading the server responses (in the absence of any other weaknesses), but does not prevent the attacker from timing the responses to requests that the attacker issued cross domain. For GET requests an attacker could for instance leverage the "img" tag in conjunction with "onload() / onerror()" javascript events. For the POST requests, an attacker could leverage the "iframe" element and leverage the "onload()" event. There is nothing in the current browser security model that prevents an attacker to use these methods to time responses to the attackers' cross domain requests. The timing for these responses leaks information. For instance, if a victim has an active session with their online e-mail account, an attacker could issue search requests in the victim's mailbox. While the attacker is not able to view the responses, based on the timings of the responses, the attacker could ask yes / no questions as to the content of victim's e-mails, who the victim e-mailed, when, etc. This is but one example; There are other scenarios where an attacker could infer potentially sensitive information from cross domain requests by timing the responses while asking the right questions that leak information.
  • Cross Site Identification
    An attacker harvests identifying information about a victim via an active session that the victim's browser has with a social networking site. A victim may have the social networking site open in one tab or perhaps is simply using the "remember me" feature to keep his or her session with the social networking site active. An attacker induces a payload to execute in the victim's browser that transparently to the victim initiates a request to the social networking site (e.g., via available social network site APIs) to retrieve identifying information about a victim. While some of this information may be public, the attacker is able to harvest this information in context and may use it for further attacks on the user (e.g., spear phishing). In one example of an attack, an attacker may post a malicious posting that contains an image with an embedded link. The link actually requests identifying information from the social networking site. A victim who views the malicious posting in his or her browser will have sent identifying information to the attacker, as long as the victim had an active session with the social networking site. There are many other ways in which the attacker may get the payload to execute in the victim's browser mainly by finding a way to hide it in some reputable site that the victim visits. The attacker could also send the link to the victim in an e-mail and trick the victim into clicking on the link. This attack is basically a cross site request forgery attack with two main differences. First, there is no action that is performed on behalf of the user aside from harvesting information. So standard CSRF protection may not work in this situation. Second, what is important in this attack pattern is the nature of the data being harvested, which is identifying information that can be obtained and used in context. This real time harvesting of identifying information can be used as a prelude for launching real time targeted social engineering attacks on the victim.
  • Cross Site Request Forgery (aka Session Riding)
    An attacker crafts malicious web links and distributes them (via web pages, email, etc.), typically in a targeted manner, hoping to induce users to click on the link and execute the malicious action against some third-party application. If successful, the action embedded in the malicious link will be processed and accepted by the targeted application with the users' privilege level. This type of attack leverages the persistence and implicit trust placed in user session cookies by many web applications today. In such an architecture, once the user authenticates to an application and a session cookie is created on the user's system, all following transactions for that session are authenticated using that cookie including potential actions initiated by an attacker and simply "riding" the existing session cookie.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL PARTIAL PARTIAL
exploit-db via4
description SWAT Samba Web Administration Tool Cross-Site Request Forgery PoC. CVE-2011-2522. Webapps exploit for cgi platform
file exploits/cgi/webapps/17577.txt
id EDB-ID:17577
last seen 2016-02-02
modified 2011-07-27
platform cgi
port
published 2011-07-27
reporter Narendra Shinde
source https://www.exploit-db.com/download/17577/
title SWAT Samba Web Administration Tool Cross-Site Request Forgery PoC
type webapps
nessus via4
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1220.NASL
    description Updated samba3x packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 56000
    published 2011-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56000
    title RHEL 5 : samba3x (RHSA-2011:1220)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1220.NASL
    description Updated samba3x packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 56272
    published 2011-09-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56272
    title CentOS 5 : samba3x (CESA-2011:1220)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110829_SAMBA3X_ON_SL5_X.NASL
    description Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547 was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba3x packages distributed by Scientific Linux does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61121
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61121
    title Scientific Linux Security Update : samba3x on SL5.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1220.NASL
    description From Red Hat Security Advisory 2011:1220 : Updated samba3x packages that fix multiple security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided by the Samba rebase in RHBA-2011:0054, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS (Common Internet File System) share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba3x packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68336
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68336
    title Oracle Linux 5 : samba3x (ELSA-2011-1220)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110829_SAMBA_AND_CIFS_UTILS_ON_SL6_X.NASL
    description Samba is a suite of programs used by machines to share files, printers, and other information. The cifs-utils package contains utilities for mounting and managing CIFS (Common Internet File System) shares. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided in the cifs-utils package included in the GA release of Scientific Linux 6, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the cifs-utils package distributed by Scientific Linux does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. This update also fixes the following bug : - If plain text passwords were used ('encrypt passwords = no' in '/etc/samba/smb.conf'), Samba clients running the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing the Microsoft Security Bulletin MS11-043. This update corrects this issue, allowing such clients to use plain text passwords to access Samba shares. Users of samba and cifs-utils are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61122
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61122
    title Scientific Linux Security Update : samba and cifs-utils on SL6.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1219.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) A race condition flaw was found in the way the mount.cifs tool mounted CIFS (Common Internet File System) shares. If mount.cifs had the setuid bit set, a local attacker could conduct a symbolic link attack to trick mount.cifs into mounting a share over an arbitrary directory they were otherwise not allowed to mount to, possibly allowing them to escalate their privileges. (CVE-2010-0787) It was found that the mount.cifs tool did not properly handle share or directory names containing a newline character. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request. (CVE-2010-0547) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787; and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgers as the original reporter of CVE-2010-0787. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 55999
    published 2011-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55999
    title RHEL 4 / 5 : samba (RHSA-2011:1219)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2012-0001.NASL
    description a. ESX third-party update for Service Console kernel The ESX Service Console Operating System (COS) kernel is updated to kernel-2.6.18-274.3.1.el5 to fix multiple security issues in the COS kernel. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2011-0726, CVE-2011-1078, CVE-2011-1079, CVE-2011-1080, CVE-2011-1093, CVE-2011-1163, CVE-2011-1166, CVE-2011-1170, CVE-2011-1171, CVE-2011-1172, CVE-2011-1494, CVE-2011-1495, CVE-2011-1577, CVE-2011-1763, CVE-2010-4649, CVE-2011-0695, CVE-2011-0711, CVE-2011-1044, CVE-2011-1182, CVE-2011-1573, CVE-2011-1576, CVE-2011-1593, CVE-2011-1745, CVE-2011-1746, CVE-2011-1776, CVE-2011-1936, CVE-2011-2022, CVE-2011-2213, CVE-2011-2492, CVE-2011-1780, CVE-2011-2525, CVE-2011-2689, CVE-2011-2482, CVE-2011-2491, CVE-2011-2495, CVE-2011-2517, CVE-2011-2519, CVE-2011-2901 to these issues. b. ESX third-party update for Service Console cURL RPM The ESX Service Console (COS) curl RPM is updated to cURL-7.15.5.9 resolving a security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2011-2192 to this issue. c. ESX third-party update for Service Console nspr and nss RPMs The ESX Service Console (COS) nspr and nss RPMs are updated to nspr-4.8.8-1.el5_7 and nss-3.12.10-4.el5_7 respectively resolving a security issues. A Certificate Authority (CA) issued fraudulent SSL certificates and Netscape Portable Runtime (NSPR) and Network Security Services (NSS) contain the built-in tokens of this fraudulent Certificate Authority. This update renders all SSL certificates signed by the fraudulent CA as untrusted for all uses. d. ESX third-party update for Service Console rpm RPMs The ESX Service Console Operating System (COS) rpm packages are updated to popt-1.10.2.3-22.el5_7.2, rpm-4.4.2.3-22.el5_7.2, rpm-libs-4.4.2.3-22.el5_7.2 and rpm-python-4.4.2.3-22.el5_7.2 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-2059 and CVE-2011-3378 to these issues. e. ESX third-party update for Service Console samba RPMs The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4, samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0547, CVE-2010-0787, CVE-2011-1678, CVE-2011-2522 and CVE-2011-2694 to these issues. Note that ESX does not include the Samba Web Administration Tool (SWAT) and therefore ESX COS is not affected by CVE-2011-2522 and CVE-2011-2694. f. ESX third-party update for Service Console python package The ESX Service Console (COS) python package is updated to 2.4.3-44 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3720, CVE-2010-3493, CVE-2011-1015 and CVE-2011-1521 to these issues. g. ESXi update to third-party component python The python third-party library is updated to python 2.5.6 which fixes multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-3560, CVE-2009-3720, CVE-2010-1634, CVE-2010-2089, and CVE-2011-1521 to these issues.
    last seen 2019-02-21
    modified 2018-09-06
    plugin id 57749
    published 2012-01-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57749
    title VMSA-2012-0001 : VMware ESXi and ESX updates to third-party library and ESX Service Console
  • NASL family Misc.
    NASL id SAMBA_3_5_10.NASL
    description According to its banner, the version of Samba 3.x running on the remote host is earlier than 3.3.16 / 3.4.14 / 3.5.10. As such, it is potentially affected by several vulnerabilities in the Samba Web Administration Tool (SWAT) : - A cross-site scripting vulnerability exists because of a failure to sanitize input to the username parameter of the 'passwd' program. (Issue #8289) - A cross-site request forgery (CSRF) vulnerability can allow SWAT to be manipulated when a user who is logged in as root is tricked into clicking specially crafted URLs sent by an attacker. (Issue #8290) Note that these issues are only exploitable when SWAT it enabled, and it is not enabled by default. Also note that Nessus has relied only on the self-reported version number and has not actually determined whether SWAT is enabled, tried to exploit these issues, or determine if the associated patches have been applied.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 55733
    published 2011-07-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55733
    title Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1182-1.NASL
    description Yoshihiro Ishikawa discovered that the Samba Web Administration Tool (SWAT) was vulnerable to cross-site request forgeries (CSRF). If a Samba administrator were tricked into clicking a link on a specially crafted web page, an attacker could trigger commands that could modify the Samba configuration. (CVE-2011-2522) Nobuhiro Tsuji discovered that the Samba Web Administration Tool (SWAT) did not properly sanitize its input when processing password change requests, resulting in cross-site scripting (XSS) vulnerabilities. With cross-site scripting vulnerabilities, if a user were tricked into viewing server output during a crafted server request, a remote attacker could exploit this to modify the contents, or steal confidential data, within the same domain. (CVE-2011-2694). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 55758
    published 2011-08-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55758
    title Ubuntu 8.04 LTS / 10.04 LTS / 10.10 / 11.04 : samba vulnerabilities (USN-1182-1)
  • NASL family Slackware Local Security Checks
    NASL id SLACKWARE_SSA_2011-210-03.NASL
    description New samba packages are available for Slackware 13.1, 13.37, and -current to fix security issues.
    last seen 2019-01-03
    modified 2019-01-02
    plugin id 55737
    published 2011-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55737
    title Slackware 13.1 / 13.37 / current : samba (SSA:2011-210-03)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-121.NASL
    description Multiple vulnerabilities has been discovered and corrected in samba : All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT (CVE-2011-2522). All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the Change Password field, it is possible to insert arbitrary content into the user field (CVE-2011-2694). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 55709
    published 2011-07-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55709
    title Mandriva Linux Security Advisory : samba (MDVSA-2011:121)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_4_LDAPSMB-110728.NASL
    description A Cross-Site Request Forgery (CSRF) and a Cross Site Scripting vulnerability have been fixed in samba's SWAT. CVE-2011-2522 and CVE-2011-2694 have been assigned.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75890
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75890
    title openSUSE Security Update : ldapsmb (openSUSE-SU-2011:0998-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE9_12812.NASL
    description A cross-site request forgery (CSRF) and a cross-site scripting vulnerability have been fixed in samba's SWAT. - CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N). (CVE-2011-2522) - CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N). (CVE-2011-2694)
    last seen 2019-02-21
    modified 2012-04-23
    plugin id 56033
    published 2011-09-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56033
    title SuSE9 Security Update : Samba (YOU Patch Number 12812)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-7671.NASL
    description A cross-site request forgery (CSRF) and a cross-site scripting vulnerability have been fixed in samba's SWAT. - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2011-2694: CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N). (CVE-2011-2522: CVSS v2 Base Score: 3.5)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 57166
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57166
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 7671)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2012-0001_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party libraries : - COS kernel - cURL - python - rpm
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 89105
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89105
    title VMware ESX / ESXi Service Console and Third-Party Libraries Multiple Vulnerabilities (VMSA-2012-0001) (remote check)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-1221.NASL
    description Updated samba and cifs-utils packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. The cifs-utils package contains utilities for mounting and managing CIFS (Common Internet File System) shares. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided in the cifs-utils package included in the GA release of Red Hat Enterprise Linux 6, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the cifs-utils package distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. This update also fixes the following bug : * If plain text passwords were used ('encrypt passwords = no' in '/etc/samba/smb.conf'), Samba clients running the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing the Microsoft Security Bulletin MS11-043. This update corrects this issue, allowing such clients to use plain text passwords to access Samba shares. (BZ#728517) Users of samba and cifs-utils are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 56001
    published 2011-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56001
    title RHEL 6 : samba and cifs-utils (RHSA-2011:1221)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-1219.NASL
    description Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) A race condition flaw was found in the way the mount.cifs tool mounted CIFS (Common Internet File System) shares. If mount.cifs had the setuid bit set, a local attacker could conduct a symbolic link attack to trick mount.cifs into mounting a share over an arbitrary directory they were otherwise not allowed to mount to, possibly allowing them to escalate their privileges. (CVE-2010-0787) It was found that the mount.cifs tool did not properly handle share or directory names containing a newline character. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request. (CVE-2010-0547) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787; and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgers as the original reporter of CVE-2010-0787. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 55997
    published 2011-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55997
    title CentOS 4 / 5 : samba (CESA-2011:1219)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1221.NASL
    description From Red Hat Security Advisory 2011:1221 : Updated samba and cifs-utils packages that fix multiple security issues and one bug are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. The cifs-utils package contains utilities for mounting and managing CIFS (Common Internet File System) shares. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) It was found that the fix for CVE-2010-0547, provided in the cifs-utils package included in the GA release of Red Hat Enterprise Linux 6, was incomplete. The mount.cifs tool did not properly handle share or directory names containing a newline character, allowing a local attacker to corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request, if mount.cifs had the setuid bit set. (CVE-2011-2724) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the cifs-utils package distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522, and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694, and Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522. This update also fixes the following bug : * If plain text passwords were used ('encrypt passwords = no' in '/etc/samba/smb.conf'), Samba clients running the Windows XP or Windows Server 2003 operating system may not have been able to access Samba shares after installing the Microsoft Security Bulletin MS11-043. This update corrects this issue, allowing such clients to use plain text passwords to access Samba shares. (BZ#728517) Users of samba and cifs-utils are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-08-13
    plugin id 68337
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68337
    title Oracle Linux 6 : cifs-utils / samba (ELSA-2011-1221)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-1219.NASL
    description From Red Hat Security Advisory 2011:1219 : Updated samba packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4 and 5. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) A race condition flaw was found in the way the mount.cifs tool mounted CIFS (Common Internet File System) shares. If mount.cifs had the setuid bit set, a local attacker could conduct a symbolic link attack to trick mount.cifs into mounting a share over an arbitrary directory they were otherwise not allowed to mount to, possibly allowing them to escalate their privileges. (CVE-2010-0787) It was found that the mount.cifs tool did not properly handle share or directory names containing a newline character. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request. (CVE-2010-0547) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Red Hat would like to thank the Samba project for reporting CVE-2011-2694 and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787; and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of CVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter of CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgers as the original reporter of CVE-2010-0787. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 68335
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68335
    title Oracle Linux 4 / 5 : samba (ELSA-2011-1219)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-10367.NASL
    description Windows security patch KB2536276 prevents access to samba shares Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 55868
    published 2011-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55868
    title Fedora 14 : samba-3.5.11-79.fc14 (2011-10367)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-2290.NASL
    description The Samba Web Administration Tool (SWAT) contains several cross-site request forgery (CSRF) vulnerabilities (CVE-2011-2522 ) and a cross-site scripting vulnerability (CVE-2011-2694 ).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 55770
    published 2011-08-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55770
    title Debian DSA-2290-1 : samba - XSS
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110829_SAMBA_ON_SL4_X.NASL
    description Samba is a suite of programs used by machines to share files, printers, and other information. A cross-site scripting (XSS) flaw was found in the password change page of the Samba Web Administration Tool (SWAT). If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, it would lead to arbitrary web script execution in the context of the user's SWAT session. (CVE-2011-2694) It was found that SWAT web pages did not protect against Cross-Site Request Forgery (CSRF) attacks. If a remote attacker could trick a user, who was logged into the SWAT interface, into visiting a specially crafted URL, the attacker could perform Samba configuration changes with the privileges of the logged in user. (CVE-2011-2522) A race condition flaw was found in the way the mount.cifs tool mounted CIFS (Common Internet File System) shares. If mount.cifs had the setuid bit set, a local attacker could conduct a symbolic link attack to trick mount.cifs into mounting a share over an arbitrary directory they were otherwise not allowed to mount to, possibly allowing them to escalate their privileges. (CVE-2010-0787) It was found that the mount.cifs tool did not properly handle share or directory names containing a newline character. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab (mounted file systems table) file via a specially crafted CIFS share mount request. (CVE-2010-0547) It was found that the mount.cifs tool did not handle certain errors correctly when updating the mtab file. If mount.cifs had the setuid bit set, a local attacker could corrupt the mtab file by setting a small file size limit before running mount.cifs. (CVE-2011-1678) Note: mount.cifs from the samba packages distributed by Red Hat does not have the setuid bit set. We recommend that administrators do not manually set the setuid bit for mount.cifs. Users of Samba are advised to upgrade to these updated packages, which contain backported patches to resolve these issues. After installing this update, the smb service will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 61123
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=61123
    title Scientific Linux Security Update : samba on SL4.x, SL5.x i386/x86_64
  • NASL family SuSE Local Security Checks
    NASL id SUSE_CIFS-MOUNT-7656.NASL
    description A cross-site request forgery (CSRF) and a cross-site scripting vulnerability have been fixed in samba's SWAT. - (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2011-2694: CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N). (CVE-2011-2522: CVSS v2 Base Score: 3.5)
    last seen 2019-02-21
    modified 2012-05-17
    plugin id 56601
    published 2011-10-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=56601
    title SuSE 10 Security Update : Samba (ZYPP Patch Number 7656)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_LDAPSMB-110727.NASL
    description A Cross-Site Request Forgery (CSRF) and a Cross Site Scripting vulnerability have been fixed in samba's SWAT. CVE-2011-2522 and CVE-2011-2694 have been assigned.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75569
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75569
    title openSUSE Security Update : ldapsmb (openSUSE-SU-2011:0998-1)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_56F4B3A6C82C11E0A49800215C6A37BB.NASL
    description Samba security advisory reports : All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT. All current released versions of Samba are vulnerable to a cross-site scripting issue in the Samba Web Administration Tool (SWAT). On the 'Change Password' field, it is possible to insert arbitrary content into the 'user' field.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 55877
    published 2011-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55877
    title FreeBSD : Samba -- XSS and request forgery vulnerabilities (56f4b3a6-c82c-11e0-a498-00215c6a37bb)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-10341.NASL
    description Windows security patch KB2536276 prevents access to samba shares Security update to 3.5.10, fixes CVE-2011-2522 and CVE-2011-2694 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 55867
    published 2011-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=55867
    title Fedora 15 : samba-3.5.11-71.fc15.1 (2011-10341)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_CIFS-MOUNT-110815.NASL
    description A Cross-Site Request Forgery (CSRF) and a Cross Site Scripting vulnerability have been fixed in Samba's SWAT. CVE-2011-2522: CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N) CVE-2011-2694: CVSS v2 Base Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 57092
    published 2011-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57092
    title SuSE 11.1 Security Update : Samba (SAT Patch Number 5000)
packetstorm via4
data source https://packetstormsecurity.com/files/download/103472/swat-xsrf.txt
id PACKETSTORM:103472
last seen 2016-12-05
published 2011-07-27
reporter Narendra Shinde
source https://packetstormsecurity.com/files/103472/Samba-Web-Administration-Tool-Cross-Site-Request-Forgery.html
title Samba Web Administration Tool Cross Site Request Forgery
redhat via4
rpms
  • samba-0:3.0.33-0.34.el4
  • samba-client-0:3.0.33-0.34.el4
  • samba-common-0:3.0.33-0.34.el4
  • samba-swat-0:3.0.33-0.34.el4
  • libsmbclient-0:3.0.33-3.29.el5_7.4
  • libsmbclient-devel-0:3.0.33-3.29.el5_7.4
  • samba-0:3.0.33-3.29.el5_7.4
  • samba-client-0:3.0.33-3.29.el5_7.4
  • samba-common-0:3.0.33-3.29.el5_7.4
  • samba-swat-0:3.0.33-3.29.el5_7.4
  • samba3x-0:3.5.4-0.83.el5_7.2
  • samba3x-client-0:3.5.4-0.83.el5_7.2
  • samba3x-common-0:3.5.4-0.83.el5_7.2
  • samba3x-doc-0:3.5.4-0.83.el5_7.2
  • samba3x-domainjoin-gui-0:3.5.4-0.83.el5_7.2
  • samba3x-swat-0:3.5.4-0.83.el5_7.2
  • samba3x-winbind-0:3.5.4-0.83.el5_7.2
  • samba3x-winbind-devel-0:3.5.4-0.83.el5_7.2
  • cifs-utils-0:4.8.1-2.el6_1.2
  • libsmbclient-0:3.5.6-86.el6_1.4
  • libsmbclient-devel-0:3.5.6-86.el6_1.4
  • samba-0:3.5.6-86.el6_1.4
  • samba-client-0:3.5.6-86.el6_1.4
  • samba-common-0:3.5.6-86.el6_1.4
  • samba-doc-0:3.5.6-86.el6_1.4
  • samba-domainjoin-gui-0:3.5.6-86.el6_1.4
  • samba-swat-0:3.5.6-86.el6_1.4
  • samba-winbind-0:3.5.6-86.el6_1.4
  • samba-winbind-clients-0:3.5.6-86.el6_1.4
  • samba-winbind-devel-0:3.5.6-86.el6_1.4
  • samba-winbind-krb5-locator-0:3.5.6-86.el6_1.4
refmap via4
bid 48899
confirm
debian DSA-2290
hp
  • HPSBNS02701
  • HPSBUX02768
  • SSRT100598
  • SSRT100664
jvn JVN#29529126
mandriva MDVSA-2011:121
osvdb 74071
sectrack 1025852
secunia
  • 45393
  • 45488
  • 45496
sreason 8317
ubuntu USN-1182-1
xf samba-swat-csrf(68843)
vmware via4
description The ESX Service Console Operating System (COS) samba packages are updated to samba-client-3.0.33-3.29.el5_7.4samba-common-3.0.33-3.29.el5_7.4 and libsmbclient-3.0.33-3.29.el5_7.4 which fixes multiple security issues in the Samba client.
id VMSA-2012-0001
last_updated 2012-03-29T00:00:00
published 2012-01-30T00:00:00
title ESX third party update for Service Console samba RPMs
Last major update 03-10-2011 - 22:51
Published 29-07-2011 - 16:55
Last modified 30-10-2018 - 12:25
Back to Top