Recently the release of the different corrective versions of Samba were announced 4.16.4, 4.15.9 and 4.14.14, fixing 5 vulnerabilities (CVE-2022-2031, CVE-2022-32742, CVE-2022-32744, CVE-2022-32745 y CVE-2022-32746).
Of which it is mentioned that the most dangerous vulnerability is (CVE-2022-32744), as allow to Active Directory domain users change the password of any user, including the ability to change the administrator password and take full control of the domain. The problem is because the KDC accepts encrypted kpasswd requests with any known key.
This vulnerability could be exploited when an attacker who has access to the domain can send a fake new password request on behalf of another user, encrypting it with your own key, and the KDC will process it without verifying that the account key matches. This includes the use of read-only domain controller (RODC) keys that do not have the authority to change passwords to send bogus requests.
As a workaround, you can disable kpasswd protocol support by adding the line “kpasswd port=0” to smb.conf.
Another vulnerability that was solved and in which special attention was also placed was in CVE-2022-32742, since this fault leaked information about memory content of the server by manipulations with the SMB1 protocol.
That is, an SMB1 client that has write access to shared storage can make provisions to write portions of the server process's memory to a file or printer. The attack is done by sending a "write" request with an incorrect range. The issue only affects Samba branches prior to 4.11 (SMB1 support is disabled by default in the 4.11 branch).
Of the other vulnerabilities that were fixed with the release of these new corrective versions, they are as follows:
- CVE-2022-32746: Active Directory users, by sending specially crafted LDAP "add" or "modify" requests, can initiate memory access after freeing it in a server process. The problem is due to the fact that the audit logging module accesses the LDAP message content after the database module frees the memory allocated for the message. To perform an attack, it is necessary to have rights to add or modify some privileged attributes, such as userAccountControl.
- CVE-2022-2031- Active Directory users can bypass some restrictions on a domain controller. The KDC and the kpasswd service can decrypt each other's tickets because they share the same set of keys and accounts. Consequently, the user who requested a password change can use the received ticket to access other services.
- CVE-2022-32745- Active Directory users can cause a server process to crash when sending LDAP "add" or "modify" requests, resulting in access to uninitialized data.
Finally if you are interested in knowing more about it about the fixed bugs, you can check the details in the following link
How to install or upgrade to Samba on Ubuntu and derivatives?
Well, for those who are interested in being able to install these new corrective versions of Samba or want to update their previous version to this newThey can do it by following the steps we share below.
It is worth mentioning that, although samba is included in the Ubuntu repositories, you should know that the packages are not updated when a new version is released, so in this case we prefer to use a repository.
The first thing we are going to do is open a terminal and in it we are going to type the following command to add a repository to the system:
sudo add-apt-repository ppa:linux-schools/samba-latest sudo apt-get update
Once the repository has been added, we proceed to install samba in the system and for this, we just type the following command:
sudo apt install samba
If you already have a previous version installed, it will be updated automatically.