CVE-2022-32744: Critical Samba admin password reset flaw

Samba maintainers have just released new versions of their networking software to patch 5 vulnerabilities that could allow attackers to launch DoS attacks against servers, leak memory information and change any other users’ passwords, including admin.

Samba is Free Software licensed under the GNU General Public License, the Samba project is a member of the Software Freedom Conservancy. Since 1992, Samba has provided secure, stable, and fast file and print services for all clients using the SMB/CIFS protocol, such as all versions of DOS and Windows, OS/2, Linux, and many others.

Samba is an important component to seamlessly integrate Linux/Unix Servers and Desktops into Active Directory environments. It can function both as a domain controller or as a regular domain member.

Samba developers informed users this week that all versions of Samba prior to 4.16.4 was affected by CVE-2022-32744 vulnerability, an admin password reset flaw vulnerability that can be exploited for encrypting forged kpasswd requests with its own key, a user can change the passwords of other users, enabling full domain takeover. The vulnerability rated 8.8 on the CVSS scale.

“Tickets received by the kpasswd service were decrypted without specifying that only that service’s own keys should be tried. By setting the ticket’s server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an attacker could have the server accept tickets encrypted with any key, including their own,” read the CVE-2022-32744 advisory.

“A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts.”

Also addressed by Samba are 4 separate flaws —

• CVE-2022-2031 (CVSS score: 5.4): Samba AD users can bypass certain restrictions associated with changing passwords.
• CVE-2022-32742 (CVSS score: 4.3): Server memory information leak via SMB1.
• CVE-2022-32745 (CVSS score: 5.4) Samba AD users can crash the server process with an LDAP add or modify request.
• CVE-2022-32746 (CVSS score: 5.4): Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request.

The maintainers of Samba have already patched the issue in their new versions Samba versions 4.16.4, 4.15.9, and 4.14.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.