4.96. samba3x
Updated samba3x packages that fix several security issues and several bugs are now available for Red Hat Enterprise Linux 5.
The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link associated with the description below. .
Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.
Security Fixes
- CVE-2013-0213
- It was discovered that the Samba Web Administration Tool (SWAT) did not protect against being opened in a web page frame. A remote attacker could possibly use this flaw to conduct a clickjacking attack against SWAT users or users with an active SWAT session.
- CVE-2013-0214
- A flaw was found in the Cross-Site Request Forgery (CSRF) protection mechanism implemented in SWAT. An attacker with the knowledge of a victim's password could use this flaw to bypass CSRF protections and conduct a CSRF attack against the victim SWAT user.
- CVE-2013-4124
- An integer overflow flaw was found in the way Samba handled an Extended Attribute (EA) list provided by a client. A malicious client could send a specially crafted EA list that triggered an overflow, causing the server to loop and reprocess the list using an excessive amount of memory.
Note
This issue does not affect the default configuration of samba server.
Red Hat would like to thank the Samba project for reporting CVE-2013-0213 and CVE-2013-0214. Upstream acknowledges Jann Horn as the original reporter of CVE-2013-0213 and CVE-2013-0214.
Bug Fixes
- BZ#862872
- When a domain controller (DC) was rebuilding the System Volume (Sysvol) directory, it disabled the Net Logon service. Even if another working DC was available, users were not able to log in until the rebuilding was finished and, as a consequence, error messages were returned. With this update, when an attempt to open the Net Logon connection fails two times, users are able to log in using another DC without any errors.
- BZ#869295
- Previously, when the
Windbind
daemon (windbindd
) authenticated Active Directory (AD) users, it used 100% of the CPU and stopped the user authentication. This update provides a patch to fix this bug andwindbindd
now works as expected. - BZ#883861
- When the
Windbind
daemon (windbindd
) was not able to establish a Server Message Block (SMB) connection to a domain controller (DC), it retried three times in a row, waited for some time and tried to connect again. Because the socket thatwindbindd
had opened to connect to DC was not closed,windbindd
leaked three sockets each time it tried to establish the connection, which led to depletion of the available sockets. With this update, a patch has been provided to fix this bug and the sockets are now closed correctly so thatwindbindd
no longer leaks sockets in the described scenario. - BZ#905071
- Previously, guest users did not have the correct token allowing write operations on a writable guest share. Consequently, such users were not able to create or write to any files within the share. With this update, a patch has been provided to fix this bug and the guest users are able to write to or create any files within the writable share as expected.
Note
Theshare
parameter is obsolete and the security mode should be set touser
. - BZ#917564
- The Samba service contains the user name mapping optimization that stores an unsuccessful mapping so that it is not necessary to traverse the whole mapping file every time. Due to a bug in the optimization, the user name mapping worked only once and then it was overwritten with the unsuccessful one. This update provides a patch to fix this bug and the successful user name mapping is no longer overwritten in the described scenario.
- BZ#947999
- Due to a bug in the authentication code that forwarded the NTLMv2 authentication challenge to the primary domain controller (PDC), an incorrect domain name was sent from a client. Consequently, the user was not able to log in, because when the domain name was hashed in the second NTLMv2 authentication challenge, the server could not verify the validity of the hash and the access was rejected. With this update, the correct domain name is set by the client to the PDC and the user is able to log in as expected.
- BZ#982484
- An attempt to execute the wkssvc_NetWkstaEnumUsers RPC command without a pointer to the resume handle caused the
smbd
daemon to terminate with a segmentation fault. Consequently, the client was disconnected. With this update, the underlying source code has been adapted to verify that the pointer is valid before attempting to dereference it. As a result,smbd
no longer crashes in this situation.
All samba3x users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing this update, the smb service will be restarted automatically.