AS-2022-017: Samba

2023-02-20

Statement

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.

CVE-2022-38023 allow remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM with SMB service enabled.

The best solution for CVE-2022-37966 should be applied on the AD Server, please refer to Mitigation for details.

CVE-2022-37967 and CVE-2022-45141 will not affect current ASUSTOR products as this vulnerability only affect AD DC features that ADM didn't support.

• Samba package has been updated on ADM 4.2.0.RE71 and ADM 4.0.6.REG2 to fix these potential vulnerabilities.

Affected Products

Mitigation

For CVE-2022-37966:

For trusted domains you should explicitly configure the use of aes256-cts-hmac-sha1-96 support, either via the Windows GUI or the newly added 'samba-tool domain trust modify --use-aes-keys'. For legacy trusts against Windows 2000/2003 domains you need to force rc4-hmac using 'samba-tool domain trust modify --no-aes-keys'. Against remote DCs (including Windows) you can use the --local-dc-ipaddress= and other --local-dc-* options. See 'samba-tool domain trust modify --help' for further details.

Detail

• CVE-2022-37966
  • Severity: Moderate
  • Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.
• CVE-2022-37967
  • Severity: Not affected
  • Windows Kerberos Elevation of Privilege Vulnerability.
• CVE-2022-38023
  • Severity: Moderate
  • Netlogon RPC Elevation of Privilege Vulnerability.
• CVE-2022-45141
  • Severity: Not affected
  • Reserved

Reference

• Samba Security Releases
• Samba Releases Security Updates
• CVE-2022-37966
• CVE-2022-37967
• CVE-2022-38023
• CVE-2022-45141

Revision