Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2026/VULN543 _____________________________________________________________________ DATE : 27/05/2026 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.22.10, 4.23.8, 4.24.3. ===================================================================== https://www.samba.org/samba/security/CVE-2026-1933.html https://www.samba.org/samba/security/CVE-2026-4408.html https://www.samba.org/samba/security/CVE-2026-2340.html https://www.samba.org/samba/security/CVE-2026-4480.html https://www.samba.org/samba/security/CVE-2026-3012.html https://www.samba.org/samba/security/CVE-2026-3238.html _____________________________________________________________________ CVE-2026-1933.html: =========================================================== == Subject: Missing access checks on reparse point == operations == == CVE ID#: 2026-1933 == == Versions: All versions since Samba 4.21 == == Summary: On a share marked "read only = yes" and == on file handles opened R/O users can set == or delete the reparse point xattrs on files == that the user has write-access in the file == system for. =========================================================== =========== Description =========== Starting with Samba 4.21, users can create and delete NTFS-style reparse points (https://en.wikipedia.org/wiki/NTFS_reparse_point) via the SMB protocol. The Reparse Point Metadata is stored in an extended attribute named "user.SmbReparse" together with the FILE_ATTRIBUTE_REPARSE_POINT bit in the user.DosAttrib xattr. Writing to these xattrs requires file-system level write permissions. File systems exported by Samba are marked "read only = yes" by default, so even users who have write permissions on the exported files should not be able modify them via SMB. For setting and deleting the reparse point xattr, the required user-space access checks are missing, so that users with file-system level write permissions are able to modify the "user.SmbReparse" xattr even on exports marked as read only. The most prominent use of reparse points is the SMB representation of symbolic links. This vulnerability means that users can turn existing files where they have write permissions into symlinks as seen by Windows and Linux clients even on exports marked as "read only = yes". An attacker can also make an entire file system under the same conditions unavailable to normal users by turning all existing files into symlinks or other types of reparse points. This is not a permanent condition, a server administrator can remove the "user.SmbReparse" xattr and the FILE_ATTRIBUTE_REPARSE_POINT "user.DosAttrib" bit. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== Vector: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H Score: 7.1 (High) ========== Workaround ========== Ensure users who access a read only = yes share do not have filesystem-level write permission to the exported files. ======= Credits ======= Originally reported by Asim Viladi Oglu Manizada. Patches provided by Stefan Metzmacher of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2026-4408.html: =========================================================== == Subject: Unauthenticated Remote Code Execution == in Samba DCE/RPC SAMR server == == CVE ID#: CVE-2026-4408 == == Versions: All versions == == Summary: Samba file servers and classic (non-AD) == domain controllers with samba-dcerpcd == started as a system service and with a == "check password script" that has the %u == substitution character are vulnerable == to a remote code execution =========================================================== =========== Description =========== Samba file servers and classic (non-AD) domain controllers offer the SamValidatePasswordChange and SamValidatePasswordReset RPC services on the SAMR DCE/RPC service when running over NCACN_IP_TCP. Both services pass a username and password to the "check password script" that can be configured in smb.conf. If the "check password script" is configured with the %u substitution character, the client-controlled username is passed to the "check password script" without escaping shell meta-characters, leading to a remote command execution vulnerability. This is a non-standard configuration in several ways: It affects Samba file servers and classic (non-AD) domain controllers that have the "check password script" configured with the %u substitution character. Active Directory Domain Controllers are not affected, they do not expand the username via the %u substitution character. The problem is much less dangerous if %u has single quotes directly around it, e.g. '%u', but it's still possible to inject command line options. Standard Samba file servers and classic domain controllers are also only affected if the samba-dcerpcd service is started as a system service, which can only happen if "rpc start on demand helpers" is set to the non-default setting "no". In the default configuration for DCE/RPC, smbd starts the samba-dcerpcd in a way that makes the vulnerable code inaccessible. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0 ========== Workaround ========== Start samba-dcerpc on demand, i.e. leave "rpc start on demand helpers" at its default setting "yes". Change your "check password script" to not rely on the username passed via %u but instead retrieve the username from the SAMBA_CPS_ACCOUNT_NAME environment variable, remove %u from the "check password script" setting. ======= Credits ======= Originally reported by: - Ron Ben Yizhak with SafeBreach. - John Walker with ZeroPath. Patches provided by: - Stefan Metzmacher of Sernet and the Samba team. - Douglas.bagnall of Catalyst and the Samba team. This advisory by Volker Lendecke and Stefan Metzmacher of Sernet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2026-2340.html: =========================================================== == Subject: WORM vfs module does not block overwrites == == CVE ID#: CVE-2026-2340 == == Versions: All versions since 4.20 (but see below) == == Summary: The WORM (Write-Once, Read Many) vfs module == is supposed to lock write access to shared == files, so they cannot be altered after initial == writes. It was allowing files to be overwritten == by renaming a newly created file over a protected == file. =========================================================== =========== Description =========== The vfs_worm module is intended to make files immutable over SMB a short time after they are created. The time window in which they are writable is configurable, defaulting to one hour. The hook that handles renames was checking that the file being renamed was still mutable, but it was not checking whether the destination filename already belonged to another worm-protected file. This meant that any file could be changed by an attacker with write access, by writing to a temporary file and renaming over the target. It is important to note that the vfs_worm module only adds additional protections. Neither the underlying file system access controls, nor any other Samba modules are bypassed. The vfs_worm module was added in 4.2 (2015), but was found to be insufficient (see https://bugzilla.samba.org/show_bug.cgi?id=10430). It was largely repaired for Samba 4.20, but this bug remained. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ==================== CVSSv3.1 calculation ==================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N 6.5 ========== Workaround ========== Setting read-only permissions on existing files on the underlying file system will prevent modifications. Setting 'worm:grace_period' in smb.conf to zero or less will eliminate the window in which the rename can happen, but this will cause problems for common work flows that assume a file can be created and written to in multiple steps. Not using the module is not a workaround, because this bug confers no access not ordinarily available. ======= Credits ======= Originally reported by Pavel Kohout of Aisle Research. Patch provided by Pavel Kohout. Tests and this advisory written by Douglas Bagnall of Catalyst IT and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2026-4480.html: =========================================================== == Subject: Unauthenticated Remote Code Execution == in Samba printing subsystem == == CVE ID#: CVE-2026-4480 == == Versions: All versions == == Summary: Samba print servers with a "print command" == that has the %J substitution character == are vulnerable to a Remote Code Execution =========================================================== =========== Description =========== Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability. Print servers configured with "printing = cups" or "printing = iprint", and print servers that do not have the %J substitution character in the "print command" setting are not affected. The problem is much less dangerous if %J has single quotes directly around it, e.g. '%J', but it's still possible to inject command line options. By default, print servers allow guest users to print. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H 10.0 ========== Workaround ========== Adding single quotes (directly!) around %J (=> '%J') makes it much less likely an attacker can do something useful. Note using double quotes may not be enough. If unsure remove %J completely from the "print command" smb.conf entry. ======= Credits ======= Originally reported by: - Ron Ben Yizhak with SafeBreach - John Walker with ZeroPath - Arjun Basnet with Securin Labs Patches provided by: - Stefan Metzmacher of Sernet and the Samba team. - Douglas Bagnall of Catalyst and the Samba team. This advisory by Volker Lendecke and Stefan Metzmacher of Sernet and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2026-3012.html: =========================================================== == Subject: auto-enrolment GPO installing CA certificate over http == without verification == == CVE ID#: CVE-2026-3012 == == Versions: all versions since 4.16 == == == Summary: To bootstrap a certificate chain a domain member must == fetch a certificate without TLS. It was trusting HTTP == for this when a more secure encrypted LDAP channel == was also available. =========================================================== =========== Description =========== If the certificate auto-enrollment GPO is enabled on domain members (both in Samba's smb.conf and using Windows GPME tool), a CA certificate may be fetched using a plain HTTP connection and installed in the member computer's trust store. This may give an attacker a chance to intercept the response, installing their chosen certificate instead. The URL from which the certificate is fetched follows a pattern used by Microsoft's Network Device Enrollment Service (NDES) to provide certificates to computers on the network that are not full domain members. Domain members should already have access to these certificates via better protected LDAP connections, so do not need the NDES link (Samba uses no other part of NDES). Pure Samba domains will not have auto-enrolment available, either through LDAP or HTTP, as Samba does not currently implement Active Directory Certificate Services. However, members of these domains are still vulnerable if the GPO is enabled. The patch removes the attempt to download the certificate and relies on the LDAP values. ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N (8.0) ========== Workaround ========== If you do not enable certificate auto-enrolment using the Windows GPME tool, the vulnerable code will not run. If your smb.conf does not contain a line like 'apply group policies = yes', group policy will not be enabled, and the vulnerable code will not run (regardless of Windows GPME configuration). Intercepting the HTTP request requires some control over the local network or other devices to intercept or redirect traffic. Some network administrators might assess this as a low risk on their networks. ======= Credits ======= Originally reported by: - Arad Inbar of the DREAM Security Research Team - Nir Somech of the DREAM Security Research Team - Ben Grinberg of the DREAM Security Research Team - Michalis Vasileiadis Patches and this advisory provided by Douglas Bagnall of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2026-3238.html: =========================================================== == Subject: Denial of service against AD DC WINS server == == CVE ID#: CVE-2026-3238 == == Versions: All versions since 4.0 == == Summary: The WINS server component of the Active == Directory Domain controller code in Samba == is vulnerable to a NULL pointer dereference == and crash caused by a unauthenticated UDP == packet. =========================================================== =========== Description =========== The Windows Internet Naming Service [1] is an unauthenticated service for registering and looking up names in a NetBIOS network running on TCP and UDP [2]. The protocol handlers for the RELEASE and MULTI_HOME_REG packets in the WINS server running when Samba is configured as an Active Directory Domain Controller do not properly validate the requests. An attacker can make the WINS server dereference a NULL pointer, leading to at least a crash. This service will be restarted at increasing intervals. The simplicity of the attack makes it trivial to make the WINS server in Samba completely unavailable. One mitigating factor is that the WINS server must be explicitly activated with the "wins support = yes" setting in the [global] section of the smb.conf file. [1]: https://en.wikipedia.org/wiki/Windows_Internet_Name_Service [2]: https://datatracker.ietf.org/doc/html/rfc1002 section 5.1.4 ================== Patch Availability ================== Patches addressing this issue have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ==================== CVSSv3.1 calculation ==================== CVSS 3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H 7.5 ========== Workaround ========== Affected sites that do not strictly depend on Samba running a WINS server should remove the explicit "wins support = yes" from their Samba configuration. ======= Credits ======= Discovered and originally reported by - Arad Inbar, DREAM Security Research Team - Erez Cohen, DREAM Security Research Team - Nir Somech, DREAM Security Research Team - Ben Grinberg, DREAM Security Research Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================