Published corrective releases package Samba 4.15.2, 4.14.10 and 4.13.14 with the elimination of 8 vulnerabilities, most of which can lead to a complete compromise of the Active Directory domain. It is noteworthy that one of the problems were corrected in 2016, and five – from 2020, though one correction led to the inability to run winbindd in the presence settings “allow trusted domains = no” (the developers intend to promptly publish another update to fix). The release of package updates in distributions can be tracked on the pages: Debian , Ubuntu , RHEL , SUSE , Fedora , Arch ,FreeBSD .
BusyBox security analysis reveals 14 minor vulnerabilities
Fixed vulnerabilities:
- CVE-2020-25717 – due to a flaw in the logic of mapping domain users to local system users, an Active Directory domain user who has the ability to create new accounts on his system, managed through ms-DS-MachineAccountQuota, could gain root access to others systems included in the domain.
- CVE-2021-3738 – access to an already freed memory area (Use after free) in the implementation of the Samba AD DC RPC server (dsdb), which can potentially lead to privilege escalation when manipulating connection setup.
- CVE-2016-2124 – client connections established using the SMB1 protocol could be transferred to the transmission of authentication parameters in plain text or via NTLM (for example, to determine credentials for MITM attacks), even if the user or application is configured mandatory authentication via Kerberos.
- CVE-2020-25722 – Proper storage access checks were not performed on a Samba-based Active Directory domain controller, allowing any user to bypass credentials and completely compromise the domain.
- CVE-2020-25718 – Kerberos tickets issued by the RODC (Read-only domain controller) were not correctly isolated in the Samba-based Active Directory domain controller, which could be used to obtain administrator tickets from the RODC without having the authority to do so.
- CVE-2020-25719 – Samba-based Active Directory domain controller did not always take into account SID and PAC fields in Kerberos tickets in the bundle (when setting “gensec: require_pac = true”, only the name was checked, and PAC was not taken into account), which allowed the user , who has the right to create accounts on the local system, impersonate another user in the domain, including a privileged one.
- CVE-2020-25721 – for users authenticated using Kerberos, not always unique identifiers for Active Directory (objectSid) were issued, which could lead to intersections of one user with another.
- CVE-2021-23192 – During the MITM attack, it was possible to spoof fragments in large DCE / RPC requests that were split into several parts.
