Operating System:

[WIN][UNIX/Linux]

Published:

29 July 2022

Protect yourself against future threats.

//Service

Security Bulletins

Receive up to date and consistent security bulletins across a wide range of vendors, streamlining security patching.

Read more
Resources > Security Bulletins > ESB-2022.3706 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2022.3706
      Samba AD users can forge password change requests for any user
                               29 July 2022

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           Samba
Publisher:         Samba
Operating System:  UNIX variants (UNIX, Linux, OSX)
                   Windows
Resolution:        Patch/Upgrade
CVE Names:         CVE-2022-32744  

Original Bulletin: 
   https://www.samba.org/samba/security/CVE-2022-32744.html

Comment: CVSS (Max):  8.8 CVE-2022-32744 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
         CVSS Source: Red Hat
         Calculator:  https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

- --------------------------BEGIN INCLUDED TEXT--------------------

===========================================================
== Subject:     Samba AD users can forge password change requests for
==              any user.
==
== CVE ID#:     CVE-2022-32744
==
== Versions:    Samba 4.3 and later
==
== Summary:     The KDC accepts kpasswd requests encrypted with any
==              key known to it. By encrypting forged kpasswd requests
==              with its own key, a user can change the passwords of
==              other users, enabling full domain takeover.
===========================================================

===========
Description
===========

Tickets received by the kpasswd service were decrypted without
specifying that only that service's own keys should be tried. By
setting the ticket's server name to a principal associated with their
own account, or by exploiting a fallback where known keys would be
tried until a suitable one was found, an attacker could have the
server accept tickets encrypted with any key, including their own.

A user could thus change the password of the Administrator account and
gain total control over the domain. Full loss of confidentiality and
integrity would be possible, as well as of availability by denying
users access to their accounts.

In addition, the kpasswd service would accept tickets encrypted by the
krbtgt key of an RODC, in spite of the fact that RODCs should not have
been able to authorise password changes.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

==========
Workaround
==========

kpasswd is not a critical protocol for the AD DC in most installations, it can
be disabled by setting "kpasswd port = 0" in the smb.conf.

=======
Credits
=======

Initial report, patches, and this advisory by Joseph Sutton of
Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://auscert.org.au/gpg-key/

iQIVAwUBYuNAmMkNZI30y1K9AQhsNg//SlFQTSdNvPzMy+GBdUGZ5q39bVU1M0g+
3bVKK+6t9MYpuoMnmricFpX/7DDl9aQpeviFvlLA9jEKTtZv8JWJV4SOTXLWIz0S
POrU2eSQH0+c5kf54qWHy4+/uoDJoJ7LPPPSco42i+QRe71+OR85I232y/FmQDqz
OlA3Zdt9ezMmxgk7VBz4bkH6bbpxBdRZd3LXpDdyIqXFN4er+GXvT13DlLvyRU8c
rElVG167Lfu5d0X7ncAH6ktJ1lHpAT3SXyNwl7hrqIBU/iRqGUJkTPeqJHWHZMX+
SMEVdM251ob5EBzhj/FYLjgP1PstgFX5Nm5pH+5Sex9hpbW+gMa19j42lbkP4+FE
X8Jwhw7trn9kzpxvW9/JUSRCpqUDT/qI+DRzU9wDn1/gTmLv1G3n4XOg7Q/PHdPj
+xhB/mFJs/xS9dqcSqtxFOwKelSb6AWIm0Lc3Gyt/CtOLsz/yuG3Jcf299zeHAQ2
liLUjZyNoPTqLVzsyQDjDsdOfw73lOC/iGh7n+EAE63qDTpxxd9RbDCmYKovisWq
oUd9aDkb+EmUHN5QzB4Ub41EM6EeMRfMSN3cVx9bs00pao3RG8VQaQq9sn4oQByF
sImHjDwCikkInlT9p3ZI2fzczbqzlKr1yd5duuqoWfMpHgJe02/FeRT/epHE0kT2
79/BWtEXnv8=
=xNLK
-----END PGP SIGNATURE-----