RHSA-2011:1219: Moderate: samba security update

First published: Mon Aug 29 2011(Updated: )

Samba is a suite of programs used by machines to share files, printers, and<br>other information.<br>A cross-site scripting (XSS) flaw was found in the password change page of<br>the Samba Web Administration Tool (SWAT). If a remote attacker could trick<br>a user, who was logged into the SWAT interface, into visiting a<br>specially-crafted URL, it would lead to arbitrary web script execution in<br>the context of the user's SWAT session. (CVE-2011-2694)<br>It was found that SWAT web pages did not protect against Cross-Site<br>Request Forgery (CSRF) attacks. If a remote attacker could trick a user,<br>who was logged into the SWAT interface, into visiting a specially-crafted<br>URL, the attacker could perform Samba configuration changes with the<br>privileges of the logged in user. (CVE-2011-2522)<br>A race condition flaw was found in the way the mount.cifs tool mounted CIFS<br>(Common Internet File System) shares. If mount.cifs had the setuid bit set,<br>a local attacker could conduct a symbolic link attack to trick mount.cifs<br>into mounting a share over an arbitrary directory they were otherwise not<br>allowed to mount to, possibly allowing them to escalate their privileges.<br>(CVE-2010-0787)<br>It was found that the mount.cifs tool did not properly handle share or<br>directory names containing a newline character. If mount.cifs had the<br>setuid bit set, a local attacker could corrupt the mtab (mounted file<br>systems table) file via a specially-crafted CIFS share mount request.<br>(CVE-2010-0547)<br>It was found that the mount.cifs tool did not handle certain errors<br>correctly when updating the mtab file. If mount.cifs had the setuid bit<br>set, a local attacker could corrupt the mtab file by setting a small file<br>size limit before running mount.cifs. (CVE-2011-1678)<br>Note: mount.cifs from the samba packages distributed by Red Hat does not<br>have the setuid bit set. We recommend that administrators do not manually<br>set the setuid bit for mount.cifs.<br>Red Hat would like to thank the Samba project for reporting CVE-2011-2694<br>and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787;<br>and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledges<br>Nobuhiro Tsuji of NTT DATA Security Corporation as the original reporter of<br>CVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporter<br>of CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgers<br>as the original reporter of CVE-2010-0787.<br>Users of Samba are advised to upgrade to these updated packages, which<br>contain backported patches to resolve these issues. After installing this<br>update, the smb service will be restarted automatically.<br>

Never miss a vulnerability like this again

Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.

Read MoreStart Free Trial

• agent/description
• agent/event
• agent/first-publish-date
• agent/last-modified-date
• agent/references
• agent/remedy
• agent/severity
• agent/softwarecombine
• agent/tags
• agent/title
• agent/type
• agent/weakness
• collector/redhat-errata
• source/Red Hat
• anchor-id/RHSA-2011:1219
• agent/software-canonical-lookup
• package-manager/redhat