FreshPorts - VuXML

The Samba Team reports:

CVE-2022-2031

The KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password can exploit this to obtain and use tickets to other services.

CVE-2022-32744

The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover.

CVE-2022-32745

Samba AD users can cause the server to access uninitialised data with an LDAP add or modify request, usually resulting in a segmentation fault.

CVE-2022-32746

The AD DC database audit logging module can be made to access LDAP message values that have been freed by a preceding database module, resulting in a use-after-free. This is only possible when modifying certain privileged attributes, such as userAccountControl.

CVE-2022-32742

SMB1 Client with write access to a share can cause server memory contents to be written into a file or printer.

< 4.12.16

< 4.13.17_2

The Samba Team reports:

• CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.

< 4.12.15

< 4.13.8

< 4.14.4

The Samba Team reports:

• CVE-2020-25717: A user in an AD Domain could become root on domain members.
• CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued by an RODC.
• CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos tickets.
• CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers (eg objectSid).
• CVE-2020-25722: Samba AD DC did not do sufficient access and conformance checking of data stored.
• CVE-2016-2124: SMB1 client connections can be downgraded to plaintext authentication.
• CVE-2021-3738: Use after free in Samba AD DC RPC server.
• CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.

< 4.13.14

< 4.14.10

< 4.15.2

The Samba Team reports:

• CVE-2020-27840: An anonymous attacker can crash the Samba AD DC LDAP server by sending easily crafted DNs as part of a bind request. More serious heap corruption is likely also possible.
• CVE-2021-20277: User-controlled LDAP filter strings against the AD DC LDAP server may crash the LDAP server.

le 4.11.15

< 4.12.14

< 4.13.7

< 4.14.2

The Samba Team reports:

CVE-2023-34967: Samba Spotlight mdssvc RPC Request Type Confusion DoS Vulnerability

When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where keys are character strings and values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function dalloc_value_for_key(), which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed in pointer is not a valid talloc pointer. As RPC worker processes are shared among multiple client connections, a malicious client can crash the worker process affecting all other clients that are also served by this worker.

CVE-2022-2127: Out-Of-Bounds read in winbind AUTH_CRAP

When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. If the system is running Samba's ntlm_auth as authentication backend for services like Squid (or a very unusual configuration with FreeRADIUS), the vulnarebility is remotely exploitable. If not so configured, or to exploit this vulnerability locally, the user must have access to the privileged winbindd UNIX domain socket (a subdirectory with name 'winbindd_privileged' under "state directory", as set in the smb.conf). This access is normally only given so special system services like Squid or FreeRADIUS, use this feature.

CVE-2023-34968: Spotlight server-side Share Path Disclosure

As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Known server side paths could be used to mount subsequent more serious security attacks or could disclose confidential information that is part of the path. To mitigate the issue, Samba will replace the real server-side path with a fake path constructed from the sharename.

CVE-2023-34966: Samba Spotlight mdssvc RPC Request Infinite Loop DoS Vulnerability

When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This bug only affects servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".

CVE-2023-3347: SMB2 packet signing not enforced

SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a client and a server using the SMB2 protocol. It provides protection against certain types of attacks, such as man-in-the-middle attacks, where an attacker intercepts network traffic and modifies the SMB2 messages. Both client and server of an SMB2 connection can require that signing is being used. The server-side setting in Samba to configure signing to be required is "server signing = required". Note that on an Samba AD DCs this is also the default for all SMB2 connections. Unless the client requires signing which would result in signing being used on the SMB2 connection, sensitive data might have been modified by an attacker. Clients connecting to IPC$ on an AD DC will require signed connections being used, so the integrity of these connections was not affected.

< 4.16.11

< 4.13.17_6

The Samba Team reports:

• CVE-2021-43566: Malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition.
• CVE-2021-44141: Information leak via symlinks of existance of files or directories outside of the exported share.
• CVE-2021-44142: Out-of-bounds heap read/write vulnerability in VFS module vfs_fruit allows code execution.
• CVE-2022-0336: Samba AD users with permission to write to an account can impersonate arbitrary services.

< 4.13.17

< 4.14.12

< 4.15.5

The Samba Team reports:

The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.

< 4.12.16

< 4.13.17_4

< 4.16.6