Corrective releases of the Samba 4.16.4, 4.15.9 and 4.14.14 package have been published with the elimination of 5 vulnerabilities. The release of package updates in distributions can be tracked on the pages: Debian, Ubuntu, RHEL, SUSE, Arch, FreeBSD.
The most dangerous vulnerability (CVE-2022-32744) allows users of the Active Directory domain to change the password of any user, including the ability to change the administrator password and take full control of the domain. The problem is caused by the KDC accepting kpasswd requests encrypted with any known key.
An attacker who has access to the domain can send a bogus password reset request on behalf of another user, encrypting it with their own key, and the KDC will process it without verifying that the account key matches. This includes the use of read-only domain controller (RODC) keys that do not have the authority to change passwords to send bogus requests. As a workaround, you can disable support for the kpasswd protocol by adding the line "kpasswd port = 0" to smb.conf.
Other vulnerabilities:
- CVE-2022-32746 - Active Directory users, by sending specially crafted LDAP "add" or "modify" requests, can initiate use-after-free memory access in the server process. The problem is caused by the fact that the audit logging module accesses the contents of the LDAP message after the database module releases the memory allocated for the message. To carry out an attack, it is necessary to have rights to add or modify some privileged attributes, such as userAccountControl.
- CVE-2022-2031 - Active Directory users can bypass some restrictions on a domain controller. The KDC and the kpasswd service are able to decrypt each other's tickets because they share the same set of keys and accounts. Accordingly, the user who requested a password change can use the received ticket to access other services.
- CVE-2022-32745 - Active Directory users can cause a server process to crash by sending "add" or "modify" LDAP requests resulting in access to uninitialized data.
- CVE-2022-32742 - Information about the contents of the server's memory was leaked through manipulations with the SMB1 protocol. An SMB1 client that has write access to shared storage can make provisions for writing portions of the server process's memory to a file or sending it to a printer. The attack is performed by sending a "write" request with an incorrect range. The problem only affects Samba branches prior to 4.11 (SMB4.11 support is disabled by default in the 1 branch).
Source: opennet.ru