Rapid7 Vulnerability & Exploit Database

RHSA-2011:1219: samba security update

Back to Search

RHSA-2011:1219: samba security update



Samba is a suite of programs used by machines to share files, printers, andother information.A cross-site scripting (XSS) flaw was found in the password change page ofthe Samba Web Administration Tool (SWAT). If a remote attacker could tricka user, who was logged into the SWAT interface, into visiting aspecially-crafted URL, it would lead to arbitrary web script execution inthe context of the user's SWAT session. (CVE-2011-2694)It was found that SWAT web pages did not protect against Cross-SiteRequest Forgery (CSRF) attacks. If a remote attacker could trick a user,who was logged into the SWAT interface, into visiting a specially-craftedURL, the attacker could perform Samba configuration changes with theprivileges of the logged in user. (CVE-2011-2522)A race condition flaw was found in the way the mount.cifs tool mounted CIFS(Common Internet File System) shares. If mount.cifs had the setuid bit set,a local attacker could conduct a symbolic link attack to trick mount.cifsinto mounting a share over an arbitrary directory they were otherwise notallowed to mount to, possibly allowing them to escalate their privileges.(CVE-2010-0787)It was found that the mount.cifs tool did not properly handle share ordirectory names containing a newline character. If mount.cifs had thesetuid bit set, a local attacker could corrupt the mtab (mounted filesystems table) file via a specially-crafted CIFS share mount request.(CVE-2010-0547)It was found that the mount.cifs tool did not handle certain errorscorrectly when updating the mtab file. If mount.cifs had the setuid bitset, a local attacker could corrupt the mtab file by setting a small filesize limit before running mount.cifs. (CVE-2011-1678)Note: mount.cifs from the samba packages distributed by Red Hat does nothave the setuid bit set. We recommend that administrators do not manuallyset the setuid bit for mount.cifs.Red Hat would like to thank the Samba project for reporting CVE-2011-2694and CVE-2011-2522; the Debian Security Team for reporting CVE-2010-0787;and Dan Rosenberg for reporting CVE-2011-1678. Upstream acknowledgesNobuhiro Tsuji of NTT DATA Security Corporation as the original reporter ofCVE-2011-2694; Yoshihiro Ishikawa of LAC Co., Ltd. as the original reporterof CVE-2011-2522; and the Debian Security Team acknowledges Ronald Volgersas the original reporter of CVE-2010-0787.Users of Samba are advised to upgrade to these updated packages, whichcontain backported patches to resolve these issues. After installing thisupdate, the smb service will be restarted automatically.


  • redhat-upgrade-libsmbclient
  • redhat-upgrade-libsmbclient-devel
  • redhat-upgrade-samba
  • redhat-upgrade-samba-client
  • redhat-upgrade-samba-common
  • redhat-upgrade-samba-swat

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center