ALAS-2023-032


Amazon Linux 2023 Security Advisory: ALAS-2023-032
Advisory Release Date: 2023-02-17 20:44 Pacific
Advisory Updated Date: 2024-02-15 02:51 Pacific
Severity: Important

Issue Overview:

2024-02-15: CVE-2016-2124 was added to this advisory.

2024-02-15: CVE-2021-44141 was added to this advisory.

2024-02-15: CVE-2021-20316 was added to this advisory.

2024-02-15: CVE-2020-17049 was added to this advisory.

A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required. (CVE-2016-2124)

It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user. (CVE-2020-17049)

A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share.

A fix for CVE-2021-20316 will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.
To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf (CVE-2021-20316)

All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. (CVE-2021-43566)

All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.


A fix for CVE-2021-44141 for will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.
To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf (CVE-2021-44141)

Samba AD users with permission to write to an account can impersonate arbitrary services (CVE-2022-0336)

In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. (CVE-2022-1615)

A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer). (CVE-2022-32742)

Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it. (CVE-2022-32743)

A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl. (CVE-2022-32746)

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd escape the configured share path. (CVE-2022-3592)

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. (CVE-2022-37966)

Windows Kerberos Elevation of Privilege Vulnerability. (CVE-2022-37967)

Netlogon RPC Elevation of Privilege Vulnerability. (CVE-2022-38023)

Samba AD DC using Heimdal can be forced to issue rc4-hmac encrypted Kerberos tickets (CVE-2022-45141)


Affected Packages:

samba


Issue Correction:
Run dnf update samba --releasever=2023.0.20230222 to update your system.

New Packages:
aarch64:
    samba-vfs-iouring-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libnetapi-devel-4.17.5-0.amzn2023.0.2.aarch64
    samba-dcerpc-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-common-libs-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-modules-4.17.5-0.amzn2023.0.2.aarch64
    samba-common-libs-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-ldb-ldap-modules-4.17.5-0.amzn2023.0.2.aarch64
    samba-test-libs-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    python3-samba-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libsmbclient-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    python3-samba-test-4.17.5-0.amzn2023.0.2.aarch64
    samba-devel-4.17.5-0.amzn2023.0.2.aarch64
    samba-vfs-iouring-4.17.5-0.amzn2023.0.2.aarch64
    samba-common-tools-4.17.5-0.amzn2023.0.2.aarch64
    samba-test-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libnetapi-4.17.5-0.amzn2023.0.2.aarch64
    samba-client-libs-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-common-tools-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libsmbclient-4.17.5-0.amzn2023.0.2.aarch64
    libwbclient-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-debugsource-4.17.5-0.amzn2023.0.2.aarch64
    libwbclient-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-clients-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-clients-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-dc-libs-4.17.5-0.amzn2023.0.2.aarch64
    samba-libs-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-modules-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    python3-samba-4.17.5-0.amzn2023.0.2.aarch64
    samba-client-libs-4.17.5-0.amzn2023.0.2.aarch64
    samba-libs-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-test-4.17.5-0.amzn2023.0.2.aarch64
    samba-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-dcerpc-4.17.5-0.amzn2023.0.2.aarch64
    samba-client-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-dc-libs-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-ldb-ldap-modules-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libsmbclient-devel-4.17.5-0.amzn2023.0.2.aarch64
    samba-krb5-printing-4.17.5-0.amzn2023.0.2.aarch64
    samba-client-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-krb5-locator-4.17.5-0.amzn2023.0.2.aarch64
    samba-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-4.17.5-0.amzn2023.0.2.aarch64
    samba-test-libs-4.17.5-0.amzn2023.0.2.aarch64
    libnetapi-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    samba-winbind-krb5-locator-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    libwbclient-devel-4.17.5-0.amzn2023.0.2.aarch64
    samba-krb5-printing-debuginfo-4.17.5-0.amzn2023.0.2.aarch64
    python3-samba-devel-4.17.5-0.amzn2023.0.2.aarch64
    samba-usershares-4.17.5-0.amzn2023.0.2.aarch64

noarch:
    samba-common-4.17.5-0.amzn2023.0.2.noarch
    samba-pidl-4.17.5-0.amzn2023.0.2.noarch

src:
    samba-4.17.5-0.amzn2023.0.2.src

x86_64:
    libwbclient-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libsmbclient-4.17.5-0.amzn2023.0.2.x86_64
    python3-samba-4.17.5-0.amzn2023.0.2.x86_64
    samba-test-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-clients-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-client-4.17.5-0.amzn2023.0.2.x86_64
    samba-client-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-4.17.5-0.amzn2023.0.2.x86_64
    samba-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-modules-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    python3-samba-test-4.17.5-0.amzn2023.0.2.x86_64
    samba-common-tools-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-clients-4.17.5-0.amzn2023.0.2.x86_64
    samba-common-libs-4.17.5-0.amzn2023.0.2.x86_64
    samba-debugsource-4.17.5-0.amzn2023.0.2.x86_64
    samba-dcerpc-4.17.5-0.amzn2023.0.2.x86_64
    samba-common-tools-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libnetapi-4.17.5-0.amzn2023.0.2.x86_64
    samba-test-libs-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-dcerpc-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libsmbclient-devel-4.17.5-0.amzn2023.0.2.x86_64
    samba-libs-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libsmbclient-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-modules-4.17.5-0.amzn2023.0.2.x86_64
    python3-samba-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libnetapi-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-common-libs-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-devel-4.17.5-0.amzn2023.0.2.x86_64
    samba-client-libs-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-client-libs-4.17.5-0.amzn2023.0.2.x86_64
    samba-libs-4.17.5-0.amzn2023.0.2.x86_64
    samba-test-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-krb5-locator-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-test-libs-4.17.5-0.amzn2023.0.2.x86_64
    samba-dc-libs-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-ldb-ldap-modules-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libnetapi-devel-4.17.5-0.amzn2023.0.2.x86_64
    samba-vfs-iouring-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    libwbclient-4.17.5-0.amzn2023.0.2.x86_64
    libwbclient-devel-4.17.5-0.amzn2023.0.2.x86_64
    samba-dc-libs-4.17.5-0.amzn2023.0.2.x86_64
    samba-ldb-ldap-modules-4.17.5-0.amzn2023.0.2.x86_64
    samba-winbind-krb5-locator-4.17.5-0.amzn2023.0.2.x86_64
    samba-krb5-printing-debuginfo-4.17.5-0.amzn2023.0.2.x86_64
    samba-vfs-iouring-4.17.5-0.amzn2023.0.2.x86_64
    python3-samba-devel-4.17.5-0.amzn2023.0.2.x86_64
    samba-usershares-4.17.5-0.amzn2023.0.2.x86_64
    samba-krb5-printing-4.17.5-0.amzn2023.0.2.x86_64