Ubuntu 20.04 LTS / 22.04 LTS / 22.10 : Samba vulnerabilities (USN-5822-1)

high Nessus Plugin ID 170562

Language:

Synopsis

The remote Ubuntu host is missing one or more security updates.

Description

The remote Ubuntu 20.04 LTS / 22.04 LTS / 22.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-5822-1 advisory.

 - A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

 - Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. (CVE-2022-37966)

 - Windows Kerberos Elevation of Privilege Vulnerability. (CVE-2022-37967)

 - Netlogon RPC Elevation of Privilege Vulnerability. (CVE-2022-38023)

 - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
 (CVE-2022-42898)

 - The vulnerability exists due to an error that allows an attacker to force the server so issue an rc4-hmac ticket encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac- sha1-96). A remote attacker can perform an offline attack against the ticket encrypted with rc4-hmac and login as a privileged user. (CVE-2022-45141)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://ubuntu.com/security/notices/USN-5822-1

Plugin Details

Severity: High

ID: 170562

File Name: ubuntu_USN-5822-1.nasl

Version: 1.0

Type: local

Agent: unix

Published: 1/25/2023

Updated: 1/25/2023

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Azure, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment

Risk Information

VPR

Risk Factor: High

Score: 8.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 6.7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

Temporal Vector: CVSS2#E:U/RL:OF/RC:C

CVSS Score Source: CVE-2022-42898

CVSS v3

Risk Factor: High

Base Score: 8.8

Temporal Score: 7.7

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:2.3:o:canonical:ubuntu_linux:20.04:-:lts:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libpam-winbind:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:winbind:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libsmbclient:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libsmbclient-dev:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-common:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:smbclient:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:ctdb:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libnss-winbind:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libwbclient-dev:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libwbclient0:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:registry-tools:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-common-bin:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-dev:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-dsdb-modules:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-libs:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-testsuite:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:samba-vfs-modules:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:python3-samba:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:ldb-tools:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libldb-dev:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:libldb2:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:python3-ldb:*:*:*:*:*:*:*, p-cpe:2.3:a:canonical:ubuntu_linux:python3-ldb-dev:*:*:*:*:*:*:*, cpe:2.3:o:canonical:ubuntu_linux:22.04:-:lts:*:*:*:*:*, cpe:2.3:o:canonical:ubuntu_linux:22.10:*:*:*:*:*:*:*

Required KB Items: Host/cpu, Host/Debian/dpkg-l, Host/Ubuntu, Host/Ubuntu/release

Exploit Ease: No known exploits are available

Patch Publication Date: 1/24/2023

Vulnerability Publication Date: 10/25/2022

Reference Information

CVE: CVE-2021-20251, CVE-2022-3437, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, CVE-2022-42898, CVE-2022-45141

IAVA: 2022-A-0447-S, 2022-A-0495-S, 2023-A-0004

USN: 5822-1