Samba fixed 8 dangerous vulnerabilities

Samba patches 4.15.2, 4.14.10, and 4.13.14 have been published, addressing eight vulnerabilities, most of which could lead to complete compromise of an Active Directory domain. Notably, one of the issues was patched since 2016, and five since 2020. However, one patch prevented winbindd from running when the "allow trusted domains = no" setting was enabled (the developers intend to promptly publish another update with the fix). The release of package updates in distributions can be tracked on the following pages: Debian, Ubuntu, RHEL, SUSE, Fedora, Arch, FreeBSD.

Fixed vulnerabilities:

  • CVE-2020-25717 - Due to a flaw in the logic for mapping domain users to local system users, an Active Directory domain user with the ability to create new accounts on their system, managed through ms-DS-MachineAccountQuota, could gain root access to other systems within the domain. domain.
  • CVE-2021-3738 - Access to an already freed area of ​​memory (Use after free) in the implementation of the Samba AD DC RPC server (dsdb), which can potentially lead to privilege escalation when manipulating connection establishment.
  • CVE-2016-2124 - Client connections established using the SMB1 protocol could be switched to pass authentication parameters in clear text or via NTLM (for example, to determine credentials when performing MITM attacks), even if the user or application has a mandatory authentication via Kerberos.
  • CVE-2020-25722 - Samba-based Active Directory domain controller was not performing proper stored data access checks, allowing any user to bypass authorization checks and completely compromise the domain.
  • CVE-2020-25718 - Kerberos tickets issued by a Read-only domain controller (RODC) were not correctly isolated in a Samba-based Active Directory domain controller, which could be used to obtain administrator tickets from the RODC without having the authority to do so.
  • CVE-2020-25719 - Samba-based Active Directory domain controller did not always take into account the SID and PAC fields in Kerberos tickets in the binding (when setting "gensec:require_pac = true", only the name was checked, and PAC was not taken into account), which allowed the user , which has the right to create accounts on the local system, impersonate another user in the domain, including privileged ones.
  • CVE-2020-25721 - Users authenticated using Kerberos were not always given unique identifiers for Active Directory (objectSid), which could lead to overlapping of one user with another.
  • CVE-2021-23192 - During a MITM attack, it was possible to spoof fragments in large DCE/RPC requests that were split into several parts.

Source: opennet.ru

Buy reliable hosting for sites with DDoS protection, VPS VDS servers πŸ”₯ Buy reliable website hosting with DDoS protection, VPS VDS servers | ProHoster