The remote host is affected by the vulnerability described in GLSA-202309-06 (Samba: Multiple Vulnerabilities)

  - Directory traversal vulnerability in the (1) extract and (2) extractall functions in the tarfile module in     Python allows user-assisted remote attackers to overwrite arbitrary files via a .. (dot dot) sequence in     filenames in a TAR archive, a related issue to CVE-2001-1267. (CVE-2007-4559)

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - Kerberos Security Feature Bypass Vulnerability (CVE-2020-17049)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - MaxQueryDuration not honoured in Samba AD DC LDAP (CVE-2021-3670)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

  - A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute     force attacks being successful if special conditions are met. (CVE-2021-20251)

  - A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated     attacker with permissions to read or modify share metadata, to perform this operation outside of the     share. (CVE-2021-20316)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to     determine if a file or directory exists in an area of the server file system not exported under the share     definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
    (CVE-2021-44141)

  - The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide ...enhanced compatibility     with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Samba versions prior to     4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via     specially crafted extended file attributes. A remote attacker with write access to extended file     attributes can execute arbitrary code with the privileges of smbd, typically root. (CVE-2021-44142)

  - The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that     SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an     account modification re-adds an SPN that was previously present on that account, such as one added when a     computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to     perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an     attacker who can intercept traffic can impersonate existing services, resulting in a loss of     confidentiality and integrity. (CVE-2022-0336)

  - In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. (CVE-2022-1615)

  - A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a     single account and set of keys, allowing them to decrypt each other's tickets. A user who has been     requested to change their password, can exploit this flaw to obtain and use tickets to other services.
    (CVE-2022-2031)

  - A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and     unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI     library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a     maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the     application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

  - A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will     make 'smbd' escape the configured share path. This flaw allows a remote user with access to the exported     part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside     the 'smbd' configured share path and gain access to another restricted server's filesystem.
    (CVE-2022-3592)

  - A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client     had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or     printer) instead of client-supplied data. The client cannot control the area of the server memory written     to the file (or printer). (CVE-2022-32742)

  - Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit     unprivileged users to write it. (CVE-2022-32743)

  - A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By     encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling     full domain takeover. (CVE-2022-32744)

  - A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP     add or modify the request, usually resulting in a segmentation fault. (CVE-2022-32745)

  - A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP     message values freed by a preceding database module, resulting in a use-after-free issue. This issue is     only possible when modifying certain privileged attributes, such as userAccountControl. (CVE-2022-32746)

  - Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability (CVE-2022-37966)

  - Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-37967)

  - Netlogon RPC Elevation of Privilege Vulnerability (CVE-2022-38023)

  - PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that     may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit     platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other     platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has a similar bug.
    (CVE-2022-42898)

  - Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov     8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will     issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-     hmac-sha1-96). (CVE-2022-45141)

  - A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise     unprivileged users to delete this attribute from any object in the directory. (CVE-2023-0225)

  - The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP     filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a     Samba AD DC. (CVE-2023-0614)

  - The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new     or reset passwords over a signed-only connection. (CVE-2023-0922)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

GLSA-202309-06 : Samba: Multiple Vulnerabilities

critical Nessus Plugin ID 181514

Version 1.2

Version 1.1

Version 1.0

Version 1.2 Sep 21, 2023, 2:27 PM CVSS metrics ("CVSSv3 score" changed from 8.8 to 9.8. "CVSSv3 vector" changed from "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" to "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H") CVSSv3 score source (set to "CVE-2022-45141") Plugin Feed: 202309211427
Version 1.1 Sep 18, 2023, 4:18 PM Exploit attributes ("Exploited by malware" set to "True") Plugin Feed: 202309181618
Version 1.0 Sep 17, 2023, 2:05 PM New Plugin Feed: 202309171405