ALAS-2023-2367

Amazon Linux 2 Security Advisory: ALAS-2023-2367
Advisory Release Date: 2023-11-29 22:20 Pacific
Advisory Updated Date: 2023-12-04 21:45 Pacific
Severity: Medium
Issue Overview:

When doing NTLM authentication, the client sends replies to
cryptographic challenges back to the server. These replies
have variable length. Winbind did not properly bounds-check
the lan manager response length, which despite the lan
manager version no longer being used is still part of the
protocol.

If the system is running Samba's ntlm_auth as authentication backend
for services like Squid (or a very unusual configuration with
FreeRADIUS), the vulnarebility is remotely exploitable

If not so configured, or to exploit this vulnerability locally, the
user must have access to the privileged winbindd UNIX domain
socket (a subdirectory with name 'winbindd_privileged' under "state
directory", as set in the smb.conf).

This access is normally only given so special system services like
Squid or FreeRADIUS, that use this feature. (CVE-2022-2127)

SMB client can truncate files to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting "acl_xattr:ignore system acls = yes" (CVE-2023-4091)


Affected Packages:

samba


Note:

This advisory is applicable to Amazon Linux 2 (AL2) Core repository. Visit this FAQ section for the difference between AL2 Core and AL2 Extras advisories.


Issue Correction:
Run yum update samba to update your system.

New Packages:
aarch64:
    samba-4.10.16-24.amzn2.0.4.aarch64
    samba-client-4.10.16-24.amzn2.0.4.aarch64
    samba-client-libs-4.10.16-24.amzn2.0.4.aarch64
    samba-common-libs-4.10.16-24.amzn2.0.4.aarch64
    samba-common-tools-4.10.16-24.amzn2.0.4.aarch64
    samba-dc-4.10.16-24.amzn2.0.4.aarch64
    samba-dc-libs-4.10.16-24.amzn2.0.4.aarch64
    samba-devel-4.10.16-24.amzn2.0.4.aarch64
    samba-krb5-printing-4.10.16-24.amzn2.0.4.aarch64
    samba-libs-4.10.16-24.amzn2.0.4.aarch64
    libsmbclient-4.10.16-24.amzn2.0.4.aarch64
    libsmbclient-devel-4.10.16-24.amzn2.0.4.aarch64
    libwbclient-4.10.16-24.amzn2.0.4.aarch64
    libwbclient-devel-4.10.16-24.amzn2.0.4.aarch64
    samba-python-4.10.16-24.amzn2.0.4.aarch64
    samba-python-test-4.10.16-24.amzn2.0.4.aarch64
    samba-test-4.10.16-24.amzn2.0.4.aarch64
    samba-test-libs-4.10.16-24.amzn2.0.4.aarch64
    samba-winbind-4.10.16-24.amzn2.0.4.aarch64
    samba-winbind-clients-4.10.16-24.amzn2.0.4.aarch64
    samba-winbind-krb5-locator-4.10.16-24.amzn2.0.4.aarch64
    samba-winbind-modules-4.10.16-24.amzn2.0.4.aarch64
    ctdb-4.10.16-24.amzn2.0.4.aarch64
    ctdb-tests-4.10.16-24.amzn2.0.4.aarch64
    samba-debuginfo-4.10.16-24.amzn2.0.4.aarch64

i686:
    samba-4.10.16-24.amzn2.0.4.i686
    samba-client-4.10.16-24.amzn2.0.4.i686
    samba-client-libs-4.10.16-24.amzn2.0.4.i686
    samba-common-libs-4.10.16-24.amzn2.0.4.i686
    samba-common-tools-4.10.16-24.amzn2.0.4.i686
    samba-dc-4.10.16-24.amzn2.0.4.i686
    samba-dc-libs-4.10.16-24.amzn2.0.4.i686
    samba-devel-4.10.16-24.amzn2.0.4.i686
    samba-krb5-printing-4.10.16-24.amzn2.0.4.i686
    samba-libs-4.10.16-24.amzn2.0.4.i686
    libsmbclient-4.10.16-24.amzn2.0.4.i686
    libsmbclient-devel-4.10.16-24.amzn2.0.4.i686
    libwbclient-4.10.16-24.amzn2.0.4.i686
    libwbclient-devel-4.10.16-24.amzn2.0.4.i686
    samba-python-4.10.16-24.amzn2.0.4.i686
    samba-python-test-4.10.16-24.amzn2.0.4.i686
    samba-test-4.10.16-24.amzn2.0.4.i686
    samba-test-libs-4.10.16-24.amzn2.0.4.i686
    samba-winbind-4.10.16-24.amzn2.0.4.i686
    samba-winbind-clients-4.10.16-24.amzn2.0.4.i686
    samba-winbind-krb5-locator-4.10.16-24.amzn2.0.4.i686
    samba-winbind-modules-4.10.16-24.amzn2.0.4.i686
    ctdb-4.10.16-24.amzn2.0.4.i686
    ctdb-tests-4.10.16-24.amzn2.0.4.i686
    samba-debuginfo-4.10.16-24.amzn2.0.4.i686

noarch:
    samba-common-4.10.16-24.amzn2.0.4.noarch
    samba-pidl-4.10.16-24.amzn2.0.4.noarch

src:
    samba-4.10.16-24.amzn2.0.4.src

x86_64:
    samba-4.10.16-24.amzn2.0.4.x86_64
    samba-client-4.10.16-24.amzn2.0.4.x86_64
    samba-client-libs-4.10.16-24.amzn2.0.4.x86_64
    samba-common-libs-4.10.16-24.amzn2.0.4.x86_64
    samba-common-tools-4.10.16-24.amzn2.0.4.x86_64
    samba-dc-4.10.16-24.amzn2.0.4.x86_64
    samba-dc-libs-4.10.16-24.amzn2.0.4.x86_64
    samba-devel-4.10.16-24.amzn2.0.4.x86_64
    samba-vfs-glusterfs-4.10.16-24.amzn2.0.4.x86_64
    samba-krb5-printing-4.10.16-24.amzn2.0.4.x86_64
    samba-libs-4.10.16-24.amzn2.0.4.x86_64
    libsmbclient-4.10.16-24.amzn2.0.4.x86_64
    libsmbclient-devel-4.10.16-24.amzn2.0.4.x86_64
    libwbclient-4.10.16-24.amzn2.0.4.x86_64
    libwbclient-devel-4.10.16-24.amzn2.0.4.x86_64
    samba-python-4.10.16-24.amzn2.0.4.x86_64
    samba-python-test-4.10.16-24.amzn2.0.4.x86_64
    samba-test-4.10.16-24.amzn2.0.4.x86_64
    samba-test-libs-4.10.16-24.amzn2.0.4.x86_64
    samba-winbind-4.10.16-24.amzn2.0.4.x86_64
    samba-winbind-clients-4.10.16-24.amzn2.0.4.x86_64
    samba-winbind-krb5-locator-4.10.16-24.amzn2.0.4.x86_64
    samba-winbind-modules-4.10.16-24.amzn2.0.4.x86_64
    ctdb-4.10.16-24.amzn2.0.4.x86_64
    ctdb-tests-4.10.16-24.amzn2.0.4.x86_64
    samba-debuginfo-4.10.16-24.amzn2.0.4.x86_64

Additional References

Red Hat: CVE-2022-2127, CVE-2023-4091

Mitre: CVE-2022-2127, CVE-2023-4091