===================================================================== CERT-Renater Note d'Information No. 2022/VULN306 _____________________________________________________________________ DATE : 31/08/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.16.4, 4.15.9, 4.14.14. ===================================================================== https://www.samba.org/samba/security/CVE-2022-2031.html https://www.samba.org/samba/security/CVE-2022-32742.html https://www.samba.org/samba/security/CVE-2022-32744.html https://www.samba.org/samba/security/CVE-2022-32745.html https://www.samba.org/samba/security/CVE-2022-32746.html _____________________________________________________________________ =========================================================== == Subject: Samba AD users can bypass certain restrictions == associated with changing passwords. == == CVE ID#: CVE-2022-2031 == == Versions: All versions of Samba prior to 4.16.4 == == Summary: The KDC and the kpasswd service share a single account == and set of keys, allowing them to decrypt each other's == tickets. A user who has been requested to change their == password can exploit this to obtain and use tickets to == other services. =========================================================== =========== Description =========== The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd. However, a vulnerability meant that the kpasswd's principal, when canonicalized, was set to that of the TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest. This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as if they were TGTs, with the same overall outcome. On the reverse side of the issue, password changes could be effected by presenting TGTs as if they were kpasswd tickets. TGTs having potentially longer lifetimes than kpasswd tickets, the value of a stolen cache containing a TGT was hence increased to an attacker, with the possibility of indefinite control over an account by means of a password change. Finally, kpasswd service tickets would be accepted for changes to one's own password, contrary to the requirement that tickets be acquired with an initial KDC request in such cases. As part of the mitigations, the lifetime of kpasswd tickets has been restricted to a maximum of two minutes. The KDC will not longer accept TGTs with two minutes or less left to live, to make sure it does not accept kpasswd tickets. ================== Patch Availability ================== Patches addressing these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========== Workaround ========== kpasswd is not a critical protocol for the AD DC in most installations, it can be disabled by setting "kpasswd port = 0" in the smb.conf. ======= Credits ======= Originally reported by Luke Howard. Patches provided by Joseph Sutton and Andreas Schneider of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2022-32742.html: ==================================================================== == Subject: Server memory information leak via SMB1. == == CVE ID#: CVE-2022-32742 == == Versions: All versions of Samba. == == Summary: SMB1 Client with write access to a share can cause == server memory contents to be written into a file == or printer. == ==================================================================== =========== Description =========== Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1 enabled are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.16.4, 4.15.9 and 4.14.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ================== CVSSv3.1 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3) ========== Workaround ========== This is an SMB1-only vulnerability. Since Samba release 4.11.0 SMB1 has been disabled by default. We do not recommend enabling SMB1 server support. For Samba versions prior to 4.11.0 please disable SMB1 by adding server min protocol = SMB2_02 to the [global] section of your smb.conf and restarting smbd. ======= Credits ======= This problem was reported by Luca Moro working with Trend Micro Zero Day Initiative. Jeremy Allison of Google and the Samba Team provided the fix. _____________________________________________________________________ CVE-2022-32744.html: =========================================================== == Subject: Samba AD users can forge password change requests for == any user. == == CVE ID#: CVE-2022-32744 == == Versions: Samba 4.3 and later == == Summary: The KDC accepts kpasswd requests encrypted with any == key known to it. By encrypting forged kpasswd requests == with its own key, a user can change the passwords of == other users, enabling full domain takeover. =========================================================== =========== Description =========== Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an attacker could have the server accept tickets encrypted with any key, including their own. A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts. In addition, the kpasswd service would accept tickets encrypted by the krbtgt key of an RODC, in spite of the fact that RODCs should not have been able to authorise password changes. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) ========== Workaround ========== kpasswd is not a critical protocol for the AD DC in most installations, it can be disabled by setting "kpasswd port = 0" in the smb.conf. ======= Credits ======= Initial report, patches, and this advisory by Joseph Sutton of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2022-32745.html: =========================================================== == Subject: Samba AD users can crash the server process with an == LDAP add or modify request. == == CVE ID#: CVE-2022-32745 == == Versions: Samba 4.16, 4.15.2, 4.14.10, 4.13.14, and later == == Summary: Samba AD users can cause the server to access == uninitialised data with an LDAP add or modify request, == usually resulting in a segmentation fault. =========================================================== =========== Description =========== Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy(), the server, receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses an arbitrary element beyond the end of an array. Outcomes achievable by an attacker include segmentation faults and corresponding loss of availability. Depending on the contents of the uninitialised memory, confidentiality may also be affected. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L (5.4) ========== Workaround ========== None. ======= Credits ======= Initial report, patches, and this advisory by Joseph Sutton of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2022-32746.html: =========================================================== == Subject: Samba AD users can induce a use-after-free in the == server process with an LDAP add or modify request. == == CVE ID#: CVE-2022-32746 == == Versions: All versions of Samba prior to 4.16.4 == == Summary: The AD DC database audit logging module can be made to == access LDAP message values that have been freed by a == preceding database module, resulting in a use-after- == free. This is only possible when modifying certain == privileged attributes, such as userAccountControl. =========================================================== =========== Description =========== Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to its elements without affecting the original message. Each element in a message points to an array of values, and these arrays are shared between the original message and the copy. The issue arises when a database module adds new values to an existing array. A call to realloc() increases the array's size to accommodate new elements, but at the same time, frees the old array. This leaves the original message element with a dangling pointer to a now-freed array. When the database audit logging module subsequently logs the details of the original message, it will access this freed data, generally resulting in corrupted log output or a crash. The code paths susceptible to this issue are reachable when certain specific attributes, such as userAccountControl, are added or modified. These attributes are not editable by default without having a privilege assigned, such as Write Property. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4) ========== Workaround ========== Disabling AD DC database audit logging prevents the use-after-free from occurring, as that is the only component that will access the original message. ======= Credits ======= Initial report, patches, and this advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================