Samba Issues Security Updates to Patch Three Vulnerabilities

In the realm of networking, Samba has become a household name as it provides seamless file and print services to SMB/CIFS clients. Despite its widespread use and popularity, like any software, Samba is not immune to security vulnerabilities. Three recently discovered Samba security vulnerabilities that could potentially allow attackers to gain access to sensitive data, posing a significant security risk.

1. CVE-2023-0225 (CVSSv3 score of 5.4): Samba AD DC “dnsHostname” attribute can be deleted by unprivileged authenticated users

The first vulnerability, CVE-2023-0225, allows authenticated but unprivileged users to delete the dnsHostName attribute from any object in the directory. This vulnerability stems from an incomplete access check on dnsHostName, which was incorrectly handled in Samba 4.17.0 and later versions.

Impact: The deletion of the dnsHostName attribute by unauthorized users can lead to the disruption of the domain’s functionality, creating a significant security risk.

Affected versions: Samba 4.17.0 and later.

Workaround: As a temporary measure, the AD DC LDAP server can be disabled by setting server services = -ldap in the smb.conf file and restarting Samba. However, this is not a recommended long-term solution since the AD DC LDAP server is a critical component of the AD DC.

2. CVE-2023-0922 (CVSSv3 score of 5.9): Samba AD DC admin tool samba-tool sends passwords in cleartext

The second vulnerability, CVE-2023-0922, involves the Samba AD DC administration tool, samba-tool, which sends passwords in cleartext when operating against a remote LDAP server by default. This vulnerability occurs when samba-tool is used to reset a user’s password or add a new user, potentially allowing an attacker to intercept the newly set passwords by observing network traffic.

Impact: The transmission of passwords in cleartext can lead to unauthorized access to sensitive information, compromising the security of the entire network.

Affected versions: All versions of Samba since 4.0.

Workaround: To mitigate this vulnerability, set “client ldap sasl wrapping = seal” in the smb.conf file or add the --option=clientldapsaslwrapping=sign option to any samba-tool or ldbmodify invocation that sets a password.

3. CVE-2023-0614 (CVSSv3 score of 7.7): Access controlled AD LDAP attributes can be discovered

CVE-2023-0614 highlights a vulnerability that allows attackers to access and potentially obtain confidential information, such as BitLocker recovery keys, from a Samba AD DC. The previous fix for CVE-2018-10919 was insufficient, and organizations with such secrets in their Samba AD should assume they have been compromised and need replacing.

Impact: The disclosure of confidential information could lead to unauthorized access to sensitive resources, posing a significant security risk.

Affected versions: All Samba releases since Samba 4.0.

Workaround: The recommended workaround is to avoid storing confidential information in Active Directory, other than passwords or keys required for AD operation. These are in the hard-coded secret attribute list and not subject to vulnerability.

Patch Availability

Samba’s vulnerabilities, like any software, can expose organizations to significant security risks. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.