Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Samba 3.x < 3.3.16 / 3.4.14 / 3.5.10 Multiple Vulnerabilities

Medium

Synopsis

The remote Samba server is affected by multiple issues.

Description

According to its banner, the version of Samba is 3.5.x earlier than 3.5.10, or 3.4.x earlier than 3.4.14, or 3.3.x earlier than 3.3.16, and is therefore affected by multiple vulnerabilities :

- A cross-site scripting vulnerability exists because of a failure to sanitize input to the username parameter of the 'passwd' program. (CVE-2011-2522)/n - A cross-site request forgery (CSRF) vulnerability exists which can allow SWAT to be manipulated when a user who is logged in as root is tricked into clicking specially crafted URLs sent by an attacker.

Note that these issues are only exploitable when SWAT is enabled (SWAT is disabled by default) (CVE-2011-2694).

Solution

Upgrade Samba to version 3.5.10 or later. If version 3.5.x cannot be obtained, version 3.4.14 and 3.3.16 have been patched for these issues.