The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5205 advisory.

  - The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the     two services susceptible to confusion. When a user's password has expired, that user is requested to     change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd.
    However, a vulnerability meant that the kpasswd's principal, when canonicalized, was set to that of the     TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used     to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest.
    This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in     Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as     if they were TGTs, with the same overall outcome. On the reverse side of the issue, password changes could     be effected by presenting TGTs as if they were kpasswd tickets. TGTs having potentially longer lifetimes     than kpasswd tickets, the value of a stolen cache containing a TGT was hence increased to an attacker,     with the possibility of indefinite control over an account by means of a password change. Finally, kpasswd     service tickets would be accepted for changes to one's own password, contrary to the requirement that     tickets be acquired with an initial KDC request in such cases. As part of the mitigations, the lifetime of     kpasswd tickets has been restricted to a maximum of two minutes. The KDC will not longer accept TGTs with     two minutes or less left to live, to make sure it does not accept kpasswd tickets. (CVE-2022-2031)

  - Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba     versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has     deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1 enabled are vulnerable to     a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write     requests were not correctly range checked to ensure the client had sent enough data to fulfill the write,     allowing server memory contents to be written into the file (or printer) instead of client supplied data.
    The client cannot control the area of the server memory that is written to the file (or printer).
    (CVE-2022-32742)

  - Tickets received by the kpasswd service were decrypted without specifying that only that service's own     keys should be tried. By setting the ticket's server name to a principal associated with their own     account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an     attacker could have the server accept tickets encrypted with any key, including their own. A user could     thus change the password of the Administrator account and gain total control over the domain. Full loss of     confidentiality and integrity would be possible, as well as of availability by denying users access to     their accounts. In addition, the kpasswd service would accept tickets encrypted by the krbtgt key of an     RODC, in spite of the fact that RODCs should not have been able to authorise password changes.
    (CVE-2022-32744)

  - Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy(), the server,     receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses     an arbitrary element beyond the end of an array. Outcomes achievable by an attacker include segmentation     faults and corresponding loss of availability. Depending on the contents of the uninitialised memory,     confidentiality may also be affected. (CVE-2022-32745)

  - Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to     its elements without affecting the original message. Each element in a message points to an array of     values, and these arrays are shared between the original message and the copy. The issue arises when a     database module adds new values to an existing array. A call to realloc() increases the array's size to     accommodate new elements, but at the same time, frees the old array. This leaves the original message     element with a dangling pointer to a now-freed array. When the database audit logging module subsequently     logs the details of the original message, it will access this freed data, generally resulting in corrupted     log output or a crash. The code paths susceptible to this issue are reachable when certain specific     attributes, such as userAccountControl, are added or modified. These attributes are not editable by     default without having a privilege assigned, such as Write Property. (CVE-2022-32746)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Debian DSA-5205-1 : samba - security update

high Nessus Plugin ID 164092

Version 1.4

Version 1.3

Version 1.4 Dec 7, 2022, 8:11 PM CVSS metrics ("CVSSv2 score" changed from "6.5" to "9.4") CVSS metrics ("CVSSv2 vector" changed from "CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P" to "CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C") CVSSv2 score source (changed from "CVE-2022-32746" to "CVE-2022-32745") CVSSv2 severity (based on CVE-2022-32745, severity increased from "Medium" to "High") Plugin Feed: 202212072011
Version 1.3 Nov 1, 2022, 3:25 PM IAVM reference Plugin Feed: 202211011525