Cross-Site Request Forgery in SWAT

Description

All current released versions of Samba are vulnerable to a cross-site
request forgery in the Samba Web Administration Tool (SWAT). By guessing a
user’s password and then tricking a user who is authenticated with SWAT into
clicking a manipulated URL on a different web page, it is possible to manipulate
SWAT.

In order to be vulnerable, the attacker needs to know the victim’s password.
Additionally SWAT must have been installed and enabled either as a standalone
server launched from inetd or xinetd, or as a CGI plugin to Apache. If SWAT has
not been installed or enabled (which is the default install state for Samba)
this advisory can be ignored.

If the user authenticated to SWAT as root AND the attacker knows the user’s root
password, it is possible to shut down or start the samba daemons, add or remove
shares, printers and user accounts and to change other aspects of the Samba
configuration.

The Samba Team considers that if the attacker knows the root password, that
security has already been breached, but is patching this issue in 4.0.2 out of
an abundance of caution, as we are already patching another SWAT issue with this
release.

Workaround

Ensure SWAT is turned off and configure Samba using an alternative method
to edit the smb.conf file.

Patch Availability

Patches addressing this defect have been posted to

http://www.samba.org/samba/security/

Additionally, Samba 4.0.2, 3.6.12 and 3.5.21 have been issued as security
releases to correct the defect. Samba administrators running affected versions
are advised to upgrade to 4.0.2, 3.6.12 or 3.5.21 or apply the patch as soon as
possible.

Credits

The vulnerability was discovered and reported to the Samba Team by Jann Horn.
The patches for all Samba versions were written and tested by Kai Blin
([email protected]).

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team