我們使用 cookie 來幫助我們改善網頁體驗。請閱讀我們的 Cookie 政策

AS-2022-016: Samba

2022-12-27

Severity

Moderate

Status

Resolved


Statement

The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.

CVE-2022-3437 allows remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM with SMB service enabled.

CVE-2022-3592 will not affect ASUSTOR products as this vulnerability only affect Samba 4.17 and later.

CVE-2022-42898 will not affect current ASUSTOR products with ADM 4.1 as this vulnerability only affect 32-bit systems.

  • Samba package has been updated on ADM 4.2.0.RC81 to fix these potential vulnerabilities.
  • Samba package has been updated on ADM 4.0.6.RCR1 to fix these potential vulnerabilities.

Affected Products

Product Severity Fixed Release Availability
ADM 4.1 Moderate Upgrade to 4.2.0.RC81 or above.
ADM 4.0 Moderate Upgrade to 4.0.6.RCR1 or above.

Mitigation

The administrators can disable SMB service to mitigate the specific vulnerabilities. In environments where SMB service is still needed, changing your password and using a strong password for SMB client connection authentication can be used as temporary mitigation.


Detail

  • CVE-2022-3437
    • Severity: Moderate
    • Reserved
  • CVE-2022-3592
    • Severity: Not affected
    • Reserved
  • CVE-2022-42898
    • Severity: Not affected
    • PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has "a similar bug."

Reference


Revision

Revision Date Description
1 2022-11-15 Initial public release.
2 2022-12-14 Release ADM 4.2.0.RC81 to update Samba package for fixing these potential vulnerabilities.
2 2022-12-27 Release ADM 4.0.6.RCR1 to update Samba package for fixing these potential vulnerabilities.