Red Hat Bugzilla – Bug 928419
CVE-2013-0454 samba: the SMB2 server does not release unused shares
Last modified: 2013-03-27 12:48:33 EDT
Common Vulnerabilities and Exposures assigned an identifier CVE-2013-0454 to
the following vulnerability:
Samba before 3.6.6, as used on the IBM Storwize V7000 Unified 1.3 before
188.8.131.52 and 1.4 before 184.108.40.206 and possibly other products, does not
properly enforce CIFS share attributes, which allows remote authenticated
users to (1) write to a read-only share; (2) triggerdata-integrity problems
related to the oplock, locking, coherency, or leases attribute; or (3) have
an unspecified impact by leveraging incorrect handling of the browseable or
"hide unreadable" parameter.
Not vulnerable. This issue did not affect the versions of samba as shipped with Red Hat Enterprise Linux 5 as they did not provide support for SMB2. This issue did not affect the versions of samba3x and samba as shipped with Red Hat Enterprise Linux 6 as they ship newer versions that do not include the vulnerable code.
To clarify, the SMB2 support was added in 3.6.0:
So only versions 3.6.0 through 3.6.5 (fixed in upstream 3.6.6) were affected by this issue.
This did not ever affect samba3x in Red Hat Enterprise Linux 5 as 5.8 provided 3.5.10 and it was updated to 3.6.6 via RHBA-2013:0064.
Likewise this did not ever affect samba in Red Hat Enterprise Linux 6 as 6.3 provided 3.5.10 and it was updated to 3.6.9 via RHBA-2013:0338.