Executive Summary

Informations
Name MDVSA-2013:278 First vendor Publication 2013-11-21
Vendor Mandriva Last vendor Modification 2013-11-21
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:H/Au:N/C:P/I:P/A:N)
Cvss Base Score 4 Attack Range Network
Cvss Impact Score 4.9 Attack Complexity High
Cvss Expoit Score 4.9 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A vulnerability has been found and corrected in samba:

Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS) (CVE-2013-4475).

The updated packages has been upgraded to the 3.6.20 version which resolves various upstream bugs and is not vulnerable to this issue.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2013:278

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-264 Permissions, Privileges, and Access Controls

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:20652
 
Oval ID: oval:org.mitre.oval:def:20652
Title: USN-2054-1 -- samba vulnerabilities
Description: Several security issues were fixed in Samba.
Family: unix Class: patch
Reference(s): USN-2054-1
CVE-2012-6150
CVE-2013-4408
CVE-2013-4475
 Version: 5
Platform(s): Ubuntu 13.10
Ubuntu 13.04
Ubuntu 12.10
Ubuntu 12.04
Ubuntu 10.04
 Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20821
 
Oval ID: oval:org.mitre.oval:def:20821
Title: DSA-2812-1 samba - several
Description: Two security issues were found in Samba, a SMB/CIFS file, print, and login server.
Family: unix Class: patch
Reference(s): DSA-2812-1
CVE-2013-4408
CVE-2013-4475
 Version: 5
Platform(s): Debian GNU/Linux 6.0
Debian GNU/Linux 7
Debian GNU/kFreeBSD 6.0
Debian GNU/kFreeBSD 7
 Product(s): samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:21206
 
Oval ID: oval:org.mitre.oval:def:21206
Title: RHSA-2013:1806: samba and samba3x security update (Important)
Description: Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
Family: unix Class: patch
Reference(s): RHSA-2013:1806-00
CESA-2013:1806
CVE-2013-4408
CVE-2013-4475
 Version: 31
Platform(s): Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
CentOS Linux 5
CentOS Linux 6
 Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23482
 
Oval ID: oval:org.mitre.oval:def:23482
Title: DEPRECATED: ELSA-2013:1806: samba and samba3x security update (Important)
Description: Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
Family: unix Class: patch
Reference(s): ELSA-2013:1806-00
CVE-2013-4408
CVE-2013-4475
 Version: 14
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:23855
 
Oval ID: oval:org.mitre.oval:def:23855
Title: ELSA-2013:1806: samba and samba3x security update (Important)
Description: Samba 3.x before 3.6.20, 4.0.x before 4.0.11, and 4.1.x before 4.1.1, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
Family: unix Class: patch
Reference(s): ELSA-2013:1806-00
CVE-2013-4408
CVE-2013-4475
 Version: 13
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): samba3x
samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:25148
 
Oval ID: oval:org.mitre.oval:def:25148
Title: SUSE-SU-2014:0024-1 -- Security update for Samba
Description: This update fixes the following security issues with Samba: * bnc#844720: DCERPC frag_len not checked (CVE-2013-4408) * bnc#853347: winbind pam security problem (CVE-2012-6150) * bnc#848101: No access check verification on stream files (CVE-2013-4475) And fixes the following non-security issues: * bnc#853021: libsmbclient0 package description contains comments * bnc#817880: rpcclient adddriver and setdrive do not set all needed registry entries * bnc#838472: Client trying to delete print job fails: Samba returns: WERR_INVALID_PRINTER_NAME * bnc#854520 and bnc#849226: various upstream fixes
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0024-1
CVE-2013-4408
CVE-2012-6150
CVE-2013-4475
 Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
 Product(s): Samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26318
 
Oval ID: oval:org.mitre.oval:def:26318
Title: SUSE-SU-2014:0839-1 -- Security update for Samba
Description: Samba, when vfs_streams_depot or vfs_streams_xattr is enabled, allows remote attackers to bypass intended file restrictions by leveraging ACL differences between a file and an associated alternate data stream (ADS).
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0839-1
CVE-2013-4475
 Version: 3
Platform(s): SUSE Linux Enterprise Server 11
 Product(s): Samba
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27279
 
Oval ID: oval:org.mitre.oval:def:27279
Title: DEPRECATED: ELSA-2013-1806 -- samba and samba3x security update (important)
Description: [3.6.9-167] - resolves: #1018037 - Fix CVE-2013-4408. [3.6.9-165] - resolves: #1028086 - Fix CVE-2013-4475.
Family: unix Class: patch
Reference(s): ELSA-2013-1806
CVE-2013-4408
CVE-2013-4475
 Version: 4
Platform(s): Oracle Linux 5
Oracle Linux 6
 Product(s): samba3x
samba
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 253
Os 5
Os 2

Information Assurance Vulnerability Management (IAVM)

Date Description
2013-11-14 IAVM : 2013-B-0131 - Multiple Vulnerabilities in Samba
Severity : Category I - VMSKEY : V0042303

Nessus® Vulnerability Scanner

Date Description
2015-05-20 Name : The remote SUSE host is missing one or more security updates.
File : suse_SU-2014-0839-1.nasl - Type : ACT_GATHER_INFO
2015-02-26 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201502-15.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_samba_20140114.nasl - Type : ACT_GATHER_INFO
2014-11-08 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-0009.nasl - Type : ACT_GATHER_INFO
2014-08-20 Name : The remote Fedora host is missing a security update.
File : fedora_2014-9132.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-996.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-910.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-881.nasl - Type : ACT_GATHER_INFO
2014-01-07 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_cifs-mount-131213.nasl - Type : ACT_GATHER_INFO
2013-12-12 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2054-1.nasl - Type : ACT_GATHER_INFO
2013-12-11 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20131210_samba_and_samba3x_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2013-12-10 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2013-1806.nasl - Type : ACT_GATHER_INFO
2013-12-10 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2013-1806.nasl - Type : ACT_GATHER_INFO
2013-12-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-2812.nasl - Type : ACT_GATHER_INFO
2013-12-10 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2013-1806.nasl - Type : ACT_GATHER_INFO
2013-11-26 Name : The remote Fedora host is missing a security update.
File : fedora_2013-21088.nasl - Type : ACT_GATHER_INFO
2013-11-25 Name : The remote Fedora host is missing a security update.
File : fedora_2013-21207.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-278.nasl - Type : ACT_GATHER_INFO
2013-11-21 Name : The remote Fedora host is missing a security update.
File : fedora_2013-21094.nasl - Type : ACT_GATHER_INFO
2013-11-20 Name : The remote FreeBSD host is missing one or more security-related updates.
File : freebsd_pkg_a4f08579516c11e39b62000c292e4fd8.nasl - Type : ACT_GATHER_INFO
2013-11-19 Name : The remote Slackware host is missing a security update.
File : Slackware_SSA_2013-322-03.nasl - Type : ACT_GATHER_INFO
2013-11-15 Name : The remote Samba server is affected by multiple vulnerabilities.
File : samba_4_1_1.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
Date Informations
2014-02-17 11:44:09
  • Multiple Updates
2013-11-21 17:18:46
  • First insertion