SB2025022417 - Multiple vulnerabilities in HP-UX Common Internet File System (CIFS)
Published: February 24, 2025
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 19 secuirty vulnerabilities.
1) UNIX symbolic link following (CVE-ID: CVE-2022-3592)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to a symlink following issue. A remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks to files outside of the smbd configured share path and access otherwise restricted files on the server.
2) Improper Authorization (CVE-ID: CVE-2023-3961)
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to improper input validation when handling client pipe names. A remote attacker can provide a specially crafted pipe name containing directory traversal characters and force Samba to connect to Unix domain sockets outside of the private directory meant to restrict the services a client could connect to.The connection to Unix domain sockets is performed as root, which means that if client sends a pipe name that resolved to an external service using an existing Unix
domain socket, the client is able to connect to it without
any filesystem restrictions.
3) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-4091)
The vulnerability allows a remote user to truncate read-only files.
The vulnerability exists due to an error in the way SMB protocol implementation in Samba handles file operations. A remote user can request read-only access to files and then truncate them to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes".
4) Security features bypass (CVE-ID: CVE-2023-3347)
The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to SMB2 packet signing feature is not enforced if the server is configured with the "server signing = required" option or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. A remote attacker can intercept and manipulate data.
5) Infinite loop (CVE-ID: CVE-2023-34966)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when parsing Spotlight mdssvc RPC packets. A remote attacker can consume all available system resources and cause denial of service conditions on servers where Spotlight is explicitly enabled globally or on individual shares with "spotlight = yes".
6) Type Confusion (CVE-ID: CVE-2023-34967)
The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to a type confusion error when parsing Spotlight mdssvc RPC packets. A remote attacker can send specially crafted data to the server, trigger a type confusion error and crash the server.
7) Information disclosure (CVE-ID: CVE-2023-34968)
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to excessive data output by the application. A remote attacker can send a specially crafted RPC request to the server and obtain real server-side share path.
8) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2023-0225)
The vulnerability allows a remote user to delete certain attributes.
The vulnerability exists due to improper access restrictions. A remote unprivileged user can delete the "dnsHostname" attribute.
9) Improper access control (CVE-ID: CVE-2023-0614)
The vulnerability allows a remote user to gain gain access to sensitive information.
The vulnerability exists due to insufficient patch for vulnerability #VU14335 (CVE-2018-10919). A remote user can bypass implemented security restrictions and gain access to sensitive information.
10) Use-after-free (CVE-ID: CVE-2022-32746)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to a use-after-free error when handling LDAP requests. A remote user with ability to edit privileged properties, such as userAccountControl, can send a specially crafted LDAP request to the server, trigger a use-after-free error and perform a denial of service (DoS) attack.
11) Infinite loop (CVE-ID: CVE-2022-32745)
The vulnerability allows a remote user to perform a denial of service (DoS) attack.
The vulnerability exists due to infinite loop when processing LDAP requests. A remote user can send a specially crafted LDAP request to the server, consume all available system resources and cause denial of service conditions.
12) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-32744)
The vulnerability allows a remote user to force password change requests.
The vulnerability exists due to tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. A remote user can force the server to accept tickets encrypted with any key and initiate password change requests for any Samba AD user.
13) Memory leak (CVE-ID: CVE-2022-32742)
The vulnerability allows a remote user to gain access to sensitive information.
The vulnerability exists due memory leak when handling SMB1 requests. A remote user with ability to write data to a file share can force the application to leak memory and gain access to potentially sensitive information.
14) Security restrictions bypass (CVE-ID: CVE-2022-2031)
The vulnerability allows a remote user to escalate privileges on the system.
The vulnerability exists due to the way the KDC kpasswd service handles password change requests. A remote user can escalate privileges on the system.
15) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-45141)
The vulnerability allows a remote attacker to bypass authentication.
The
vulnerability exists due to an error that allows an attacker to force
the server so issue an rc4-hmac ticket encrypted tickets despite the
target server supporting better encryption (eg aes256-cts-hmac-sha1-96).
A remote attacker can perform an offline attack against the ticket
encrypted with rc4-hmac and login as a privileged user.
16) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-37967)
The vulnerability allows a remote administrator to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Kerberos, which leads to security restrictions bypass and privilege escalation.
17) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2022-37966)
The vulnerability allows a remote attacker to escalate privileges on the system.
The vulnerability exists due to application does not properly impose security restrictions in Windows Kerberos RC4-HMAC. A remote attacker can conduct a man-in-middle (MiTM) attack, which leads to security restrictions bypass and privilege escalation.
18) Use of a broken or risky cryptographic algorithm (CVE-ID: CVE-2022-38023)
The vulnerability allows a remote attacker to compromise the target system.
The vulnerability exists due to security features bypass in Netlogon RPC. A remote attacker can bypass the Netlogon cryptography feature for signing and sealing traffic during Netlogon authentication.
19) Integer overflow (CVE-ID: CVE-2022-42898)
The vulnerability allows a remote user to execute arbitrary code on the target system.
The vulnerability exists due to an integer overflow within the S4U2Proxy handler on 32-bit systems. A remote user can send specially crafted request to the KDC server, trigger an integer overflow and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
Remediation
Install update from vendor's website.
References
- https://www.samba.org/samba/security/CVE-2022-3592.html
- https://www.samba.org/samba/security/CVE-2023-3961.html
- https://www.samba.org/samba/security/CVE-2023-4091.html
- https://www.samba.org/samba/security/CVE-2023-3347.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2222792
- https://access.redhat.com/security/cve/CVE-2023-3347
- https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC/
- https://access.redhat.com/security/cve/CVE-2023-34966
- https://www.samba.org/samba/security/CVE-2023-34966
- https://bugzilla.redhat.com/show_bug.cgi?id=2222793
- https://www.zerodayinitiative.com/advisories/ZDI-23-1228/
- https://access.redhat.com/security/cve/CVE-2023-34967
- https://www.samba.org/samba/security/CVE-2023-34967.html
- https://bugzilla.redhat.com/show_bug.cgi?id=2222794
- https://www.zerodayinitiative.com/advisories/ZDI-23-1227/
- https://www.samba.org/samba/security/CVE-2023-34968.html
- https://access.redhat.com/security/cve/CVE-2023-34968
- https://bugzilla.redhat.com/show_bug.cgi?id=2222795
- https://www.samba.org/samba/security/CVE-2023-0225.html
- https://www.samba.org/samba/security/CVE-2023-0614.html
- https://www.samba.org/samba/security/CVE-2022-32746.html
- https://www.samba.org/samba/security/CVE-2022-32745.html
- https://www.samba.org/samba/security/CVE-2022-32744.html
- https://www.samba.org/samba/security/CVE-2022-32742.html
- https://www.zerodayinitiative.com/advisories/ZDI-23-713/
- https://www.samba.org/samba/security/CVE-2022-2031.html
- https://www.samba.org/samba/security/CVE-2022-45141.html
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37967
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-37966
- https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2022-38023
- https://www.samba.org/samba/security/CVE-2022-42898.html