A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

The remote Rocky Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RLSA-2021:5082 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-202309-06 (Samba: Multiple Vulnerabilities)

  - Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in     Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in     filenames in a TAR archive, a related issue to CVE-2001-1267. (CVE-2007-4559)

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - Kerberos Security Feature Bypass Vulnerability (CVE-2020-17049)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - MaxQueryDuration not honoured in Samba AD DC LDAP (CVE-2021-3670)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

  - A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute     force attacks being successful if special conditions are met. (CVE-2021-20251)

  - A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated     attacker with permissions to read or modify share metadata, to perform this operation outside of the     share. (CVE-2021-20316)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to     determine if a file or directory exists in an area of the server file system not exported under the share     definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
    (CVE-2021-44141)

  - The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide ...enhanced compatibility     with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Samba versions prior to     4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via     specially crafted extended file attributes. A remote attacker with write access to extended file     attributes can execute arbitrary code with the privileges of smbd, typically root. (CVE-2021-44142)

  - The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that     SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an     account modification re-adds an SPN that was previously present on that account, such as one added when a     computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to     perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an     attacker who can intercept traffic can impersonate existing services, resulting in a loss of     confidentiality and integrity. (CVE-2022-0336)

  - In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. (CVE-2022-1615)

  - A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a     single account and set of keys, allowing them to decrypt each other's tickets. A user who has been     requested to change their password, can exploit this flaw to obtain and use tickets to other services.
    (CVE-2022-2031)

  - A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and     unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI     library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a     maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the     application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

  - A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will     make 'smbd' escape the configured share path. This flaw allows a remote user with access to the exported     part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside     the 'smbd' configured share path and gain access to another restricted server's filesystem.
    (CVE-2022-3592)

  - A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client     had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or     printer) instead of client-supplied data. The client cannot control the area of the server memory written     to the file (or printer). (CVE-2022-32742)

  - Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit     unprivileged users to write it. (CVE-2022-32743)

  - A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By     encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling     full domain takeover. (CVE-2022-32744)

  - A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP     add or modify the request, usually resulting in a segmentation fault. (CVE-2022-32745)

  - A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP     message values freed by a preceding database module, resulting in a use-after-free issue. This issue is     only possible when modifying certain privileged attributes, such as userAccountControl. (CVE-2022-32746)

  - Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability (CVE-2022-37966)

  - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-37967)

  - Netlogon RPC Elevation of Privilege Vulnerability (CVE-2022-38023)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

  - Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov     8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will     issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-     hmac-sha1-96). (CVE-2022-45141)

  - A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise     unprivileged users to delete this attribute from any object in the directory. (CVE-2023-0225)

  - The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP     filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a     Samba AD DC. (CVE-2023-0614)

  - The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new     or reset passwords over a signed-only connection. (CVE-2023-0922)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of samba installed on the remote host is prior to 4.16.2-0. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-224 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated     attacker with permissions to read or modify share metadata, to perform this operation outside of the     share. (CVE-2021-20316)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

  - All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to     determine if a file or directory exists in an area of the server file system not exported under the share     definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
    (CVE-2021-44141)

  - The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide ...enhanced compatibility     with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Samba versions prior to     4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via     specially crafted extended file attributes. A remote attacker with write access to extended file     attributes can execute arbitrary code with the privileges of smbd, typically root. (CVE-2021-44142)

  - The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that     SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an     account modification re-adds an SPN that was previously present on that account, such as one added when a     computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to     perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an     attacker who can intercept traffic can impersonate existing services, resulting in a loss of     confidentiality and integrity. (CVE-2022-0336)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix     group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end     of the array in the case where a negative cache entry had been added to the mapping cache. This could     cause the calling code to return those values into the process token that stores the group membership for     a user. The highest threat from this vulnerability is to data confidentiality and integrity.
    (CVE-2021-20254)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to     allow a directory to be created in an area of the server file system not exported under the share     definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack     to succeed. (CVE-2021-43566)

  - The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide ...enhanced compatibility     with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Samba versions prior to     4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via     specially crafted extended file attributes. A remote attacker with write access to extended file     attributes can execute arbitrary code with the privileges of smbd, typically root. (CVE-2021-44142)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote AlmaLinux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALSA-2021:5082 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2022:0008 advisory.

  - samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124)

  - samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717)

  - samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote CentOS Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the CESA-2021:5082 advisory.

  - samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124)

  - samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717)

  - samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2021-5082 advisory.

  - samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124)

  - samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192)

  - samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:5082 advisory.

  - samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124)

  - samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717)

  - samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2021:4843 advisory.

  - samba: SMB1 client connections can be downgraded to plaintext authentication (CVE-2016-2124)

  - samba: Active Directory (AD) domain user could become root on domain members (CVE-2020-25717)

  - samba: Subsequent DCE/RPC fragment injection vulnerability (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of Samba running on the remote host is 4.13.x prior to 4.13.14, 4.14.x prior to 4.14.10, or 4.15.x prior to 4.15.2.  It is, therefore, potentially affected by multiple vulnerabilities as referenced in the vendor advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:1471-1 advisory.

  - An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos     authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended     security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older     insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required it's still     possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated. The attacker is     able to get the plaintext password sent over the wire even if Kerberos authentication was required. The     problem is only possible if all of the following options are explicitly set together: client NTLMv2 auth =     no client lanman auth = yes client plaintext auth = yes client min protocol = NT1 # or lower In currently     supported Samba versions all of the above options have different default values, so the problem is very     unlikely to happen. Samba 4.5 and older had an additional problem, even in the default configuration, as     they send ntlmv2, ntlm or lanman responses. Which means the attacker might be able to do offline attacks     in order to recover the plaintext password, lmhash or nthash values. Requiring Kerberos authentication for     SMB1/2/3 connections can be controlled by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line     options of various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient, samba-tool and others.
    Note that 4.15 deprecated '-k/--kerberos*' and introduced '--use-kerberos=required' command line option as     well as the smb.conf option client use kerberos = required. For libsmbclient based applications the     usage of Kerberos is controlled by the following function calls: smbc_setOptionUseKerberos(),     smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin(). (CVE-2016-2124)

  - Windows Active Directory (AD) domains have by default a feature to allow users to create computer     accounts, controlled by ms-DS-MachineAccountQuota. In addition some (presumably trusted) users have the     right to create new users or computers in both Samba and Windows Active Directory Domains. These features     can be quite dangerous in the wrong hands, as the user who creates such accounts has broad privileges to     not just create them and set their passwords, but to rename them at a later time with the only contraint     being they may not match an existing samAccountName in AD. When Samba as an AD Domain member accepts a     Kerberos ticket, it must map the information found therein to a local UNIX user-id (uid). This is     currently done via the account name in the Active Directory generated Kerberos Privileged Attribute     Certificate (PAC), or the account name in the ticket (if there is no PAC). For example, Samba will attempt     to find a user DOMAIN\user before falling back to trying to find the user user. If the DOMAIN\user     lookup can be made to fail, then a privilege escalation is possible. The easiest example to illustrate     this is if an attacker creates an account named root (by renaming a MachineAccountQuota based machine     account), and asks for a login without a Kerberos PAC. Between obtaining the ticket and presenting it to a     server, the attacker renames the user account to a different name. Samba attempts to look up     DOMAIN\root, which fails (as this no longer exists) and then falls back to looking up user root, which     will map to the privileged UNIX uid of 0. This patch changes Samba to require a PAC (in all scenarios     related to active directory domains) and use the SID and account name values of the PAC, which means the     combination represents the same point in time. The processing is now similar to as with NTLM based logins.
    The SID is unique and non-repeating and so can't be confused with another user. Additionally, a new     parameter has been added min domain uid (default 1000), and no matter how we obtain the UNIX uid to use     in the process token (we may eventually read /etc/passwd or similar), by default no UNIX uid below this     value will be accepted. The patch also removes the fallback from 'DOMAIN\user' to just 'user', as it     dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).
    However there are setups which are joined to an active directory domain just for authentication, but the     authorization is handled without nss_winbind by mapping the domain account to a local user provided by     nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping     the users! For these setups administrators need to use the 'username map' or 'username map script' option     in order to map domain users explicitly to local users, e.g. user = DOMAIN\user Please consult 'man 5     smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above     example '\' refers to the default value of the 'winbind separator' option. [Added 2021-11-11] There's     sadly a regression that allow trusted domains = no prevents winbindd from starting, fixes are available     at https://bugzilla.samba.org/show_bug.cgi?id=14899 Please also notice the additional fix and advanced     example for the 'username map [script]' based fallback from 'DOMAIN\user' to 'user'. See     https://bugzilla.samba.org/show_bug.cgi?id=14901 and https://gitlab.com/samba-     team/samba/-/merge_requests/2251 (CVE-2020-25717)

  - Subsequent DCE/RPC fragment injection vulnerability [fedora-all] (CVE-2021-23192)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Ubuntu 20.04 LTS / 21.04 / 21.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5142-1 advisory.

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3650-1 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3650-1 advisory.

  - An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos     authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended     security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older     insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required it's still     possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated. The attacker is     able to get the plaintext password sent over the wire even if Kerberos authentication was required. The     problem is only possible if all of the following options are explicitly set together: client NTLMv2 auth =     no client lanman auth = yes client plaintext auth = yes client min protocol = NT1 # or lower In currently     supported Samba versions all of the above options have different default values, so the problem is very     unlikely to happen. Samba 4.5 and older had an additional problem, even in the default configuration, as     they send ntlmv2, ntlm or lanman responses. Which means the attacker might be able to do offline attacks     in order to recover the plaintext password, lmhash or nthash values. Requiring Kerberos authentication for     SMB1/2/3 connections can be controlled by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line     options of various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient, samba-tool and others.
    Note that 4.15 deprecated '-k/--kerberos*' and introduced '--use-kerberos=required' command line option as     well as the smb.conf option client use kerberos = required. For libsmbclient based applications the     usage of Kerberos is controlled by the following function calls: smbc_setOptionUseKerberos(),     smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin(). (CVE-2016-2124)

  - Windows Active Directory (AD) domains have by default a feature to allow users to create computer     accounts, controlled by ms-DS-MachineAccountQuota. In addition some (presumably trusted) users have the     right to create new users or computers in both Samba and Windows Active Directory Domains. These features     can be quite dangerous in the wrong hands, as the user who creates such accounts has broad privileges to     not just create them and set their passwords, but to rename them at a later time with the only contraint     being they may not match an existing samAccountName in AD. When Samba as an AD Domain member accepts a     Kerberos ticket, it must map the information found therein to a local UNIX user-id (uid). This is     currently done via the account name in the Active Directory generated Kerberos Privileged Attribute     Certificate (PAC), or the account name in the ticket (if there is no PAC). For example, Samba will attempt     to find a user DOMAIN\user before falling back to trying to find the user user. If the DOMAIN\user     lookup can be made to fail, then a privilege escalation is possible. The easiest example to illustrate     this is if an attacker creates an account named root (by renaming a MachineAccountQuota based machine     account), and asks for a login without a Kerberos PAC. Between obtaining the ticket and presenting it to a     server, the attacker renames the user account to a different name. Samba attempts to look up     DOMAIN\root, which fails (as this no longer exists) and then falls back to looking up user root, which     will map to the privileged UNIX uid of 0. This patch changes Samba to require a PAC (in all scenarios     related to active directory domains) and use the SID and account name values of the PAC, which means the     combination represents the same point in time. The processing is now similar to as with NTLM based logins.
    The SID is unique and non-repeating and so can't be confused with another user. Additionally, a new     parameter has been added min domain uid (default 1000), and no matter how we obtain the UNIX uid to use     in the process token (we may eventually read /etc/passwd or similar), by default no UNIX uid below this     value will be accepted. The patch also removes the fallback from 'DOMAIN\user' to just 'user', as it     dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).
    However there are setups which are joined to an active directory domain just for authentication, but the     authorization is handled without nss_winbind by mapping the domain account to a local user provided by     nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping     the users! For these setups administrators need to use the 'username map' or 'username map script' option     in order to map domain users explicitly to local users, e.g. user = DOMAIN\user Please consult 'man 5     smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above     example '\' refers to the default value of the 'winbind separator' option. (CVE-2020-25717)

  - Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB     transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request     payloads are exchanged and fragmented into several pieces. If this happens over untrusted transports (e.g.
    directly over TCP/IP or anonymous SMB) clients will typically protect by an explicit authentication at the     DCE/RPC layer, e.g. with GSSAPI/Kerberos/NTLMSSP or Netlogon Secure Channel. Because the checks on the     fragment protection were not done between the policy controls on the header and the subsequent fragments,     an attacker could replace subsequent fragments in requests with their own data, which might be able to     alter the server behaviour. DCE/RPC is a core component of all Samba servers, but we are most concerned     about Samba as a Domain Controller, given the role as a centrally trusted service. As active directory     domain controller this issue affects Samba versions greater or equal to 4.10.0. As NT4 classic domain     controller, domain member or standalone server this issue affects Samba versions greater or equal to     4.13.0. (CVE-2021-23192)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SUSE15 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2021:3647-1 advisory.

  - An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos     authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended     security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older     insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required it's still     possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated. The attacker is     able to get the plaintext password sent over the wire even if Kerberos authentication was required. The     problem is only possible if all of the following options are explicitly set together: client NTLMv2 auth =     no client lanman auth = yes client plaintext auth = yes client min protocol = NT1 # or lower In currently     supported Samba versions all of the above options have different default values, so the problem is very     unlikely to happen. Samba 4.5 and older had an additional problem, even in the default configuration, as     they send ntlmv2, ntlm or lanman responses. Which means the attacker might be able to do offline attacks     in order to recover the plaintext password, lmhash or nthash values. Requiring Kerberos authentication for     SMB1/2/3 connections can be controlled by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line     options of various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient, samba-tool and others.
    Note that 4.15 deprecated '-k/--kerberos*' and introduced '--use-kerberos=required' command line option as     well as the smb.conf option client use kerberos = required. For libsmbclient based applications the     usage of Kerberos is controlled by the following function calls: smbc_setOptionUseKerberos(),     smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin(). (CVE-2016-2124)

  - Windows Active Directory (AD) domains have by default a feature to allow users to create computer     accounts, controlled by ms-DS-MachineAccountQuota. In addition some (presumably trusted) users have the     right to create new users or computers in both Samba and Windows Active Directory Domains. These features     can be quite dangerous in the wrong hands, as the user who creates such accounts has broad privileges to     not just create them and set their passwords, but to rename them at a later time with the only contraint     being they may not match an existing samAccountName in AD. When Samba as an AD Domain member accepts a     Kerberos ticket, it must map the information found therein to a local UNIX user-id (uid). This is     currently done via the account name in the Active Directory generated Kerberos Privileged Attribute     Certificate (PAC), or the account name in the ticket (if there is no PAC). For example, Samba will attempt     to find a user DOMAIN\user before falling back to trying to find the user user. If the DOMAIN\user     lookup can be made to fail, then a privilege escalation is possible. The easiest example to illustrate     this is if an attacker creates an account named root (by renaming a MachineAccountQuota based machine     account), and asks for a login without a Kerberos PAC. Between obtaining the ticket and presenting it to a     server, the attacker renames the user account to a different name. Samba attempts to look up     DOMAIN\root, which fails (as this no longer exists) and then falls back to looking up user root, which     will map to the privileged UNIX uid of 0. This patch changes Samba to require a PAC (in all scenarios     related to active directory domains) and use the SID and account name values of the PAC, which means the     combination represents the same point in time. The processing is now similar to as with NTLM based logins.
    The SID is unique and non-repeating and so can't be confused with another user. Additionally, a new     parameter has been added min domain uid (default 1000), and no matter how we obtain the UNIX uid to use     in the process token (we may eventually read /etc/passwd or similar), by default no UNIX uid below this     value will be accepted. The patch also removes the fallback from 'DOMAIN\user' to just 'user', as it     dangerous and not needed when nss_winbind is used (even when 'winbind use default domain = yes' is set).
    However there are setups which are joined to an active directory domain just for authentication, but the     authorization is handled without nss_winbind by mapping the domain account to a local user provided by     nss_file, nss_ldap or something similar. NOTE: These setups won't work anymore without explicitly mapping     the users! For these setups administrators need to use the 'username map' or 'username map script' option     in order to map domain users explicitly to local users, e.g. user = DOMAIN\user Please consult 'man 5     smb.conf' for further details on 'username map' or 'username map script'. Also note that in the above     example '\' refers to the default value of the 'winbind separator' option. (CVE-2020-25717)

  - Samba as an Active Directory Domain Controller is able to support an RODC, which is meant to have minimal     privileges in a domain. However, in accepting a ticket from a Samba or Windows RODC, Samba was not     confirming that the RODC is authorized to print such a ticket, via the msDS-NeverRevealGroup and msDS-     RevealOnDemandGroup (typically Allowed RODC Replication Group and Denied RODC Replciation Group). This     would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based     authentication. These names are often then used for authorization. However Microsoft Windows and Active     Direcory is SID-based. SIDs in Windows, similar to UIDs in Linux/Unix (if managed well) are globally     unique and survive name changes. At the meeting of these two authorization schemes it is possible to     confuse a server into acting as one user when holding a ticket for another. A Kerberos ticket, once     issued, may be valid for some time, often 10 hours but potentially longer. In Active Directory, it may or     may not carry a PAC, holding the user's SIDs. A simple example of the problem is on Samba's LDAP server,     which would, unless gensec:require_pac = true was set, permit a fall back to using the name in the     Kerberos ticket alone. (All Samba AD services fall to the same issue in one way or another, LDAP is just a     good example). Delegated administrators with the right to create other user or machine accounts can abuse     the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate     a different account, including a highly privileged account. This could allow total domain compromise.
    (CVE-2020-25719)

  - In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and     ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the     most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software     only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC.
    Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO,     a component of the AD PAC, in a way that can be parsed using basic pointer handling. From this, future     non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID     in LDAP, confident that the ticket represents a specific user, not matter subsequent renames. This will     allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the     same string name (due to the gap between time of ticket printing by the KDC and time of ticket     acceptance). The protocol deployment weakness, as demonstrated with the CVE-2020-25717 in Samba when     deployed in Active Directory, leaves most Linux and UNIX applications only to rely on the client name     from the Kerberos ticket. When the client name as seen by the KDC is under an attacker control across     multiple Kerberos requests, such applications need an additional information to correlate the client name     across those requests. Directories where only full administrators can create users are not the concern,     the concern is where that user/computer creation right is delegated in some way, explicitly or via ms-DS-     MachineAccountQuota. (CVE-2020-25721)

  - Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive     attributes, and to follow a security model from Active Directory that relies totally on the intersection     of NT security descriptors and the underlying X.500 Directory Access Protocol (as then expressed in LDAP)     schema constraints for security. Some attributes in Samba AD are sensitive, they apply to one object but     protect others. Users who can set msDS-AllowedToDelegateTo can become any user in the domain on the server     pointed at by this list. Likewise in a domain mixed with Microsoft Windows, Samba's lack of protection of     sidHistory would be a similar issue. This would be limited to users with the right to create users or     modify them (typically those who created them), however, due to other flaws, all users are able to create     new user objects. Finally, Samba did not enforce userPrincipalName and servicePrincipalName uniqueness,     nor did it correctly implement the validated SPN feature allowing machine accounts to safely set their     own SPN (the checks were easily bypassed and additionally should have been restricted to     objectClass=computer). Samba has implemented this feature, which avoids a denial of service (UPNs) or     service impersonation (SPNs) between users privileged to add users to the domian (but see the above     point). This release adds a feature similar in goal but broader in implementation than that found in the     Windows 2012 Forest Functional level. (CVE-2020-25722)

  - Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB     transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request     payloads are exchanged and fragmented into several pieces. If this happens over untrusted transports (e.g.
    directly over TCP/IP or anonymous SMB) clients will typically protect by an explicit authentication at the     DCE/RPC layer, e.g. with GSSAPI/Kerberos/NTLMSSP or Netlogon Secure Channel. Because the checks on the     fragment protection were not done between the policy controls on the header and the subsequent fragments,     an attacker could replace subsequent fragments in requests with their own data, which might be able to     alter the server behaviour. DCE/RPC is a core component of all Samba servers, but we are most concerned     about Samba as a Domain Controller, given the role as a centrally trusted service. As active directory     domain controller this issue affects Samba versions greater or equal to 4.10.0. As NT4 classic domain     controller, domain member or standalone server this issue affects Samba versions greater or equal to     4.13.0. (CVE-2021-23192)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED12 / SLES12 / SLES_SAP12 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3649-1 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote SUSE Linux SLED15 / SLES15 host has packages installed that are affected by multiple vulnerabilities as referenced in the SUSE-SU-2021:3647-1 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5003 advisory.

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

Note that Nessus has not tested for this issue but has instead relied only on the application's self- reported version number.

ID	Name	Product	Family	Severity
184610	Rocky Linux 8 : samba (RLSA-2021:5082)	Nessus	Rocky Linux Local Security Checks	high
181514	GLSA-202309-06 : Samba: Multiple Vulnerabilities	Nessus	Gentoo Local Security Checks	critical
168583	Amazon Linux 2022 : samba (ALAS2022-2022-224)	Nessus	Amazon Linux Local Security Checks	high
167474	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2022-0099)	Nessus	NewStart CGSL Local Security Checks	high
158879	AlmaLinux 8 : samba (ALSA-2021:5082)	Nessus	Alma Linux Local Security Checks	high
156464	RHEL 8 : samba (RHSA-2022:0008)	Nessus	Red Hat Local Security Checks	high
156238	CentOS 8 : samba (CESA-2021:5082)	Nessus	CentOS Local Security Checks	high
156045	Oracle Linux 8 : samba (ELSA-2021-5082)	Nessus	Oracle Linux Local Security Checks	high
156044	RHEL 8 : samba (RHSA-2021:5082)	Nessus	Red Hat Local Security Checks	high
155725	RHEL 8 : samba (RHSA-2021:4843)	Nessus	Red Hat Local Security Checks	high
155620	Samba 4.13.x < 4.13.14 / 4.14.x < 4.14.10 / 4.15.x < 4.15.2 Multiple Vulnerabilities	Nessus	Misc.	high
155356	openSUSE 15 Security Update : samba (openSUSE-SU-2021:1471-1)	Nessus	SuSE Local Security Checks	high
155297	Ubuntu 20.04 LTS : Samba vulnerabilities (USN-5142-1)	Nessus	Ubuntu Local Security Checks	high
155213	SUSE SLED15 / SLES15 Security Update : samba (SUSE-SU-2021:3650-1)	Nessus	SuSE Local Security Checks	high
155191	openSUSE 15 Security Update : samba (openSUSE-SU-2021:3650-1)	Nessus	SuSE Local Security Checks	high
155177	openSUSE 15 Security Update : samba and ldb (openSUSE-SU-2021:3647-1)	Nessus	SuSE Local Security Checks	high
155076	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2021:3649-1)	Nessus	SuSE Local Security Checks	high
155048	SUSE SLED15 / SLES15 Security Update : samba and ldb (SUSE-SU-2021:3647-1)	Nessus	SuSE Local Security Checks	high
155015	Debian DSA-5003-1 : samba - security update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2021-23192

high

Tenable Plugins

high

critical

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high