Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 454798 (CVE-2013-0213) - <net-fs/samba-3.5.21: SWAT Clickjacking Vulnerability (CVE-2013-{0213,0214})
Summary: <net-fs/samba-3.5.21: SWAT Clickjacking Vulnerability (CVE-2013-{0213,0214})
Status: RESOLVED FIXED
Alias: CVE-2013-0213
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://secunia.com/advisories/51994/
Whiteboard: B4 [noglsa]
Keywords:
Depends on: 459278
Blocks:
  Show dependency tree
 
Reported: 2013-01-31 10:24 UTC by Agostino Sarubbo
Modified: 2013-04-10 21:03 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2013-01-31 10:24:36 UTC
From $URL :

Description
A vulnerability has been reported in Samba, which can be exploited by malicious people to conduct 
clickjacking attacks.

The Samba Web Administration Tool (SWAT) allows users to perform certain actions via HTTP requests 
without performing any validity checks to verify the requests. This can be exploited to e.g. change 
certain settings by tricking a user into clicking a specially crafted link via clickjacking.

Successful exploitation requires that SWAT is enabled (disabled by default).

The vulnerability is reported in versions 3.0.x through 4.0.1.


Solution
Update to versions 4.0.2, 3.6.12, or 3.5.21.

Provided and/or discovered by
The vendor credits Jann Horn.

Original Advisory
http://www.samba.org/samba/history/security.html
http://www.samba.org/samba/security/CVE-2013-0213
http://www.samba.org/samba/security/CVE-2013-0214
Comment 1 Víctor Ostorga (RETIRED) gentoo-dev 2013-02-04 22:40:14 UTC
@security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and cleaned up old versions, excluding stable ones.

The stabilization schedule should be:

samba-3.6.12: amd64 hppa x86
samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86
Comment 2 Víctor Ostorga (RETIRED) gentoo-dev 2013-02-12 15:44:45 UTC
(In reply to comment #1)
> @security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and
> cleaned up old versions, excluding stable ones.
> 
> The stabilization schedule should be:
> 
> samba-3.6.12: amd64 hppa x86
> samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

@security are you alive?
May I stabilize the arches I use? I don't want users to use vulnerable versions.
Comment 3 GLSAMaker/CVETool Bot gentoo-dev 2013-02-15 19:55:25 UTC
CVE-2013-0214 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0214):
  Cross-site request forgery (CSRF) vulnerability in the Samba Web
  Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x before 3.6.12,
  and 4.x before 4.0.2 allows remote attackers to hijack the authentication of
  arbitrary users by leveraging knowledge of a password and composing requests
  that perform SWAT actions.

CVE-2013-0213 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2013-0213):
  The Samba Web Administration Tool (SWAT) in Samba 3.x before 3.5.21, 3.6.x
  before 3.6.12, and 4.x before 4.0.2 allows remote attackers to conduct
  clickjacking attacks via a (1) FRAME or (2) IFRAME element.
Comment 4 Sean Amoss (RETIRED) gentoo-dev Security 2013-02-15 19:59:43 UTC
(In reply to comment #1)
> @security: I've update samba to versions 4.0.2, 3.6.12, or 3.5.21 and
> cleaned up old versions, excluding stable ones.
> 
> The stabilization schedule should be:
> 
> samba-3.6.12: amd64 hppa x86
> samba-3.5.21: alpha amd64 arm hppa ia64 ppc ppc64 s390 sh sparc x86

Arches, please test and mark stable.
Comment 5 Agostino Sarubbo gentoo-dev 2013-02-16 07:37:24 UTC
x86 stable
Comment 6 Agostino Sarubbo gentoo-dev 2013-02-16 07:37:45 UTC
amd64 stable
Comment 7 Agostino Sarubbo gentoo-dev 2013-02-16 07:57:23 UTC
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2013-02-16 08:03:15 UTC
ppc64 stable
Comment 9 Jeroen Roovers (RETIRED) gentoo-dev 2013-02-18 23:25:58 UTC
Stable for HPPA.
Comment 10 Agostino Sarubbo gentoo-dev 2013-02-21 13:19:24 UTC
ia64 stable
Comment 11 Agostino Sarubbo gentoo-dev 2013-02-21 16:08:01 UTC
sparc stable
Comment 12 Agostino Sarubbo gentoo-dev 2013-02-22 18:40:41 UTC
arm stable
Comment 13 Agostino Sarubbo gentoo-dev 2013-03-01 11:18:08 UTC
alpha stable
Comment 14 Agostino Sarubbo gentoo-dev 2013-03-01 11:54:57 UTC
s390 stable
Comment 15 Agostino Sarubbo gentoo-dev 2013-03-05 09:14:47 UTC
sh stable
Comment 16 Tobias Heinlein (RETIRED) gentoo-dev 2013-03-24 19:42:22 UTC
Ready for vote, I vote NO.
Comment 17 Sean Amoss (RETIRED) gentoo-dev Security 2013-04-10 21:03:00 UTC
GLSA vote: no, too.

Closing noglsa.