SB2023091702 - Gentoo update for Samba
Published: September 17, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 33 secuirty vulnerabilities.
1) Path traversal (CVE-ID: CVE-2007-4559)
The vulnerability allows a remote attacker to compromise the affected system.
The
vulnerability exists due to improper validation of filenames in the
tarfile module in Python. A remote attacker can
create a specially crafted archive with symbolic links inside or
filenames that contain directory traversal characters (e.g. "..") and
overwrite arbitrary files on the system.
2) Improper access control (CVE-ID: CVE-2016-2124)
The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.
The vulnerability exists due to SMB1 client connections can be downgraded to plaintext authentication. A remote attacker can perform a man-in-the-middle attack and downgrade a negotiated SMB1 client connection and its capabitilities.
3) Security Features (CVE-ID: CVE-2020-17049)
The vulnerability allows a remote user to bypass authentication process.
The vulnerability exists due to security feature bypass issue in Kerberos. A remote administrator can bypass authentication process and gain unauthorized access to the application.
4) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-25717)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to the Windows Active Directory (AD) domains have by default a feature to allow users to create computer accounts. A remote authenticated attacker can create such account with elevated privileges on the system.
5) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-25718)
The vulnerability allows a remote authenticated attacker to escalate privileges on the system.
The vulnerability exists due to Samba AD DC does not correctly sandbox Kerberos tickets issued by an RODC, which leads to security restrictions bypass and privilege escalation.
6) Race condition (CVE-ID: CVE-2020-25719)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition. A remote administrator can exploit the race and escalate privileges on the system.
7) Improper Authentication (CVE-ID: CVE-2020-25721)
The vulnerability allows a remote attacker to bypass authentication process.
The vulnerability exists due to an error in when processing authentication requests. A remote attacker can bypass authentication process and gain unauthorized access to the application.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2020-25722)
The vulnerability allows a remote authenticated attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions, which leads to security restrictions bypass and privilege escalation.
9) Race condition (CVE-ID: CVE-2021-20251)
The vulnerability allows a remote attacker to perform a brute-force attack.
The vulnerability exists due to a race condition in Samba when incrementing bad password attempts. Each connection to Samba gets a separate process, and each process loads, increments, and saves the bad password count without any coordination. A remote attacker can perform a brute-force attack using multiple threats and bypass imposed limits on the number of allowed incorrect passwords.10) Race condition (CVE-ID: CVE-2021-20316)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a race condition. A remote user can exploit the race and gain unauthorized access to sensitive information and escalate privileges on the system.
11) Input validation error (CVE-ID: CVE-2021-23192)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to the DCE/RPC fragment injection issue. A remote attacker can replace subsequent fragments in requests with their own data and alter the server behavior.
12) Resource management error (CVE-ID: CVE-2021-3670)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to Samba AD DC LDAP does not honor the MaxQueryDuration option when handling LDAP requests. A remote user can execute heavy queries and perform a denial of service (DoS) attack.
13) Use-after-free (CVE-ID: CVE-2021-3738)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a use-after-free error in Samba AD DC RPC server. A remote authenticated attacker can gain elevated privileges and perform a denial of service (DoS) attack.
14) Link following (CVE-ID: CVE-2021-44141)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to insecure link following. A remote user with ability to write files to the exported part of the file system under a share via SMB1 unix extensions or via NFS can create a symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition.
15) Out-of-bounds write (CVE-ID: CVE-2021-44142)
The vulnerability allows a remote attacker to compromise vulnerable system.
The vulnerability exists due to a boundary error when processing EA metadata while opening files in smbd within the VFS Samba module (vfs_fruit). A remote attacker with ability to write to file's extended attributes can trigger an out-of-bounds write and execute arbitrary code with root privileges.
Note, the vulnerability in vfs_fruit exists in the default configuration of the fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
16) Insufficient verification of data authenticity (CVE-ID: CVE-2022-0336)
The vulnerability allows a local user to impersonate arbitrary services.
The vulnerability exists due to Samba AD DC relies only on SPN (service principals name) to identify services on the network. An attacker with ability to modify SPNs can bypass implemented protection and cause a denial of service condition by adding an SPN that matches an existing service or impersonate services on the network.
17) Use of insufficiently random values (CVE-ID: CVE-2022-1615)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due to usage of predictable random values within the GnuTLS gnutls_rnd() function. A remote user can decrypt sensitive information.
18) Security restrictions bypass (CVE-ID: CVE-2022-2031)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the way the KDC kpasswd service handles password change requests. A remote user can escalate privileges on the system.
19) Memory leak (CVE-ID: CVE-2022-32742)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due memory leak when handling SMB1 requests. A remote user with ability to write data to a file share can force the application to leak memory and gain access to potentially sensitive information.
20) Incorrect default permissions (CVE-ID: CVE-2022-32743)
The vulnerability allows a remote attacker to perform MitM attack.
The vulnerability exists due to Samba does not validate the Validated-DNS-Host-Name for the dNSHostName attribute. A remote attacker can set an arbitrary hostname and perform MitM attack.
21) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-32744)
The vulnerability allows a remote user to force password change requests.
The vulnerability exists due to tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. A remote user can force the server to accept tickets encrypted with any key and initiate password change requests for any Samba AD user.
22) Infinite loop (CVE-ID: CVE-2022-32745)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing LDAP requests. A remote user can send a specially crafted LDAP request to the server, consume all available system resources and cause denial of service conditions.
23) Use-after-free (CVE-ID: CVE-2022-32746)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error when handling LDAP requests. A remote user with ability to edit privileged properties, such as userAccountControl, can send a specially crafted LDAP request to the server, trigger a use-after-free error and perform a denial of service (DoS) attack.
24) Heap-based buffer overflow (CVE-ID: CVE-2022-3437)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a boundary error within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. A remote user can send specially crafted data to the application, trigger a heap-based buffer overflow and perform a denial of service (DoS) attack.
25) UNIX symbolic link following (CVE-ID: CVE-2022-3592)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks to files outside of the smbd configured share path and access otherwise restricted files on the server.
26) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-37966)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Windows Kerberos RC4-HMAC. A remote attacker can conduct a man-in-middle (MiTM) attack, which leads to security restrictions bypass and privilege escalation.
27) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-37967)
The vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Kerberos, which leads to security restrictions bypass and privilege escalation.
28) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-38023)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to security features bypass in Netlogon RPC. A remote attacker can bypass the Netlogon cryptography feature for signing and sealing traffic during Netlogon authentication.
29) Integer overflow (CVE-ID: CVE-2022-42898)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to an integer overflow within the S4U2Proxy handler on 32-bit systems. A remote user can send specially crafted request to the KDC server, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
30) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-45141)
The vulnerability allows a remote attacker to bypass authentication.
The
vulnerability exists due to an error that allows an attacker to force
the server so issue an rc4-hmac ticket encrypted tickets despite the
target server supporting better encryption (eg aes256-cts-hmac-sha1-96).
A remote attacker can perform an offline attack against the ticket
encrypted with rc4-hmac and login as a privileged user.
31) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-0225)
The vulnerability allows a remote user to delete certain attributes.
The vulnerability exists due to improper access restrictions. A remote unprivileged user can delete the "dnsHostname" attribute.
32) Improper access control (CVE-ID: CVE-2023-0614)
The vulnerability allows a remote user to gain gain access to sensitive information.
The vulnerability exists due to insufficient patch for vulnerability #VU14335 (CVE-2018-10919). A remote user can bypass implemented security restrictions and gain access to sensitive information.
33) Cleartext transmission of sensitive information (CVE-ID: CVE-2023-0922)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to samba-tool transmits credentials to the LDAP server in clear text. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
Remediation
Install update from vendor's website.