Corrective releases of the Samba 4.15.2, 4.14.10 and 4.13.14 package have been published with the elimination of 8 vulnerabilities, most of which can lead to a complete compromise of an Active Directory domain. It is noteworthy that one of the problems has been fixed since 2016, and five since 2020, however, one fix resulted in the inability to start winbindd with the βallow trusted domains = noβ setting (the developers intend to promptly publish another update with a fix). The release of package updates in distributions can be tracked on the pages: Debian, Ubuntu, RHEL, SUSE, Fedora, Arch, FreeBSD.
Fixed vulnerabilities:
- CVE-2020-25717 - Due to a bug in the logic of mapping domain users to local system users, an Active Directory domain user who was able to create new accounts on their system managed via ms-DS-MachineAccountQuota could gain root access to others domain systems.
- CVE-2021-3738 - Access to an already freed area of ββmemory (Use after free) in the implementation of the Samba AD DC RPC server (dsdb), which can potentially lead to privilege escalation when manipulating connection establishment.
- CVE-2016-2124 - Client connections established using the SMB1 protocol could be switched to pass authentication parameters in clear text or via NTLM (for example, to determine credentials when performing MITM attacks), even if the user or application has a mandatory authentication via Kerberos.
- CVE-2020-25722 - Samba-based Active Directory domain controller was not performing proper stored data access checks, allowing any user to bypass authorization checks and completely compromise the domain.
- CVE-2020-25718 - Kerberos tickets issued by a Read-only domain controller (RODC) were not correctly isolated in a Samba-based Active Directory domain controller, which could be used to obtain administrator tickets from the RODC without having the authority to do so.
- CVE-2020-25719 - Samba-based Active Directory domain controller did not always take into account the SID and PAC fields in Kerberos tickets in the binding (when setting "gensec:require_pac = true", only the name was checked, and PAC was not taken into account), which allowed the user , which has the right to create accounts on the local system, impersonate another user in the domain, including privileged ones.
- CVE-2020-25721 - Users authenticated using Kerberos were not always given unique identifiers for Active Directory (objectSid), which could lead to overlapping of one user with another.
- CVE-2021-23192 - During a MITM attack, it was possible to spoof fragments in large DCE/RPC requests that were split into several parts.
Source: opennet.ru