LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

Kernel prepatch 3.9-rc6

LWN.net Weekly Edition for April 4, 2013

LWN.net Weekly Edition for March 28, 2013

A kernel change breaks GlusterFS

PyCon: Evangelizing Python

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

samba: multiple vulnerabilities in SWAT

Package(s):samba CVE #(s):CVE-2013-0213 CVE-2013-0214
Created:February 4, 2013 Updated:March 25, 2013
Description: From the Samba 4.0.2 announcement:

CVE-2013-0213: All current released versions of Samba are vulnerable to clickjacking in the Samba Web Administration Tool (SWAT). When the SWAT pages are integrated into a malicious web page via a frame or iframe and then overlaid by other content, an attacker could trick an administrator to potentially change Samba settings.

In order to be vulnerable, SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored.

CVE-2013-0214: All current released versions of Samba are vulnerable to a cross-site request forgery in the Samba Web Administration Tool (SWAT). By guessing a user's password and then tricking a user who is authenticated with SWAT into clicking a manipulated URL on a different web page, it is possible to manipulate SWAT.

In order to be vulnerable, the attacker needs to know the victim's password. Additionally SWAT must have been installed and enabled either as a standalone server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has not been installed or enabled (which is the default install state for Samba) this advisory can be ignored.

Alerts:
Debian DSA-2617-1 2013-02-02
Mageia MGASA-2013-0035 2013-02-06
Fedora FEDORA-2013-1654 2013-02-12
Fedora FEDORA-2013-1718 2013-02-12
Fedora FEDORA-2013-1716 2013-02-12
Fedora FEDORA-2013-1667 2013-02-12
openSUSE openSUSE-SU-2013:0277-1 2013-02-12
openSUSE openSUSE-SU-2013:0281-1 2013-02-12
Mandriva MDVSA-2013:011 2013-02-13
SUSE SUSE-SU-2013:0325-1 2013-02-22
SUSE SUSE-SU-2013:0326-1 2013-02-22
SUSE SUSE-SU-2013:0519-1 2013-03-22
(Log in to post comments)

samba: multiple vulnerabilities

Posted Feb 8, 2013 11:45 UTC (Fri) by kblin (subscriber, #88617) [Link]

It's worthwhile to note that the DSA misrepresents the impact of CVE-2013-0214 quite a bit. The attacker can use an XSRF to get people logged into SWAT as root to change Samba settings ONLY if they know the machine's root password. For other logged in users, the worst thing that could happen would be changing the user's already known password. The CVE announcement Samba posted mentions this more clearly.

samba: multiple vulnerabilities

Posted Feb 8, 2013 14:19 UTC (Fri) by corbet (editor, #1) [Link]

I've replaced the DSA text with information from the original advisory; apologies for any confusion.

samba: multiple vulnerabilities

Posted Feb 8, 2013 14:34 UTC (Fri) by kblin (subscriber, #88617) [Link]

Thanks for the quick response, Jonathan. Much appreciated.

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds