On 15th December, Samba released patches to the 4 high-severity vulnerabilities disclosed by Microsoft on 8th November. According to Microsoft, these vulnerabilities tracked under these CVE identifiers CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141 would let the attackers take control of the victim machine by exploiting these vulnerabilities. Let’s see the summary, a few technical details, and finally, how to fix the 4 high-severity vulnerabilities in Samba in this post.
Table of Contents
Introduction to Samba
If you’re a Linux user, you’ve likely heard of Samba. Samba is a free, open-source, powerful Windows interoperability suite for Linux, Unix, and macOS operating systems that allows Linux users to access other Windows networks. With Samba, you can connect to Windows machines and access shared files, printers, and other resources. Samba can also be used as a file server, printing, and Active Directory server. This makes it incredibly useful for anyone who needs to build and maintain a secure network between Windows and Linux systems.
Samba as an Active Directory Domain Controller
The Active Directory Domain Controller (AD DC) is an important component of the Microsoft Windows server architecture. It provides a centralized system for managing user accounts, network resources, and security policies. It enables users to access those resources from any computer connected to the domain controller via a secure connection.
Samba provides a similar service for Linux, allowing it to act as an Active Directory Domain Controller (AD DC). With Samba, Linux users have the same access and security policies available from Windows-based systems. This makes it easier for administrators to manage multiple Windows and Linux systems in a single domain controller.
Samba is also capable of authenticating users using Kerberos, a secure authentication protocol used by Windows. With Samba, you can create user and group accounts, manage group policies, establish trust relationships with other domains, replicate directory services, and much more. Additionally, it allows Linux servers to act as domain members in an Active Directory domain and utilize its features, such as password synchronization and group policies.
It’s a great tool for those who want to manage their own domain without having to invest in Microsoft’s Windows Server or other pricey solutions. All these features make Samba an excellent way to integrate Linux systems into existing Microsoft networks and provide a seamless experience for users working on both Windows and Linux computers.
Summary of the 4 High-Severity Vulnerabilities in Samba
The vulnerabilities tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141 have got a CVSS score from 8.1 to 7.2 on the scale could allow unauthenticated attackers to bypass security features in a Windows AD environment by carrying out attacks on cryptographic protocols on Samba AD DC. Let’s look at all 4 high-severity vulnerabilities in Samba one after another.
CVE-2022-38023:
The flaw lice in the cryptographic implementation of RC4-HMAC in the NetLogon Secure Channel. The flaw could be exploitable when RPC Signing is used instead of RPC Sealing. When the RPC signing is being used, an attacker would get control of the service and then modify the Netlogon protocol traffic; later would be leveraged to elevate his privileges. Successful exploitation of this vulnerability would allow the attacker to gain administrator privileges. Please read the full technical details about the flaw here.
“The weakness on NetLogon Secure channel is that the secure checksum is calculated as HMAC-MD5(MD5(DATA),KEY), meaning that an active attacker knowing the plaintext data could create a different chosen DATA, with the same MD5 checksum, and substitute it into the data stream without being detected.”
-Samba
| Associated CVE ID | CVE-2022-38023 |
| Description | A high severity privilege escalation vulnerability in NetLogon Secure Channel |
| Associated ZDI ID | – |
| CVSS Score | 8.1 High |
| Vector | CVSS:v3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | High |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
CVE-2022-37966:
The flaw lice in the implementation of RC4-HMAC in the Kerberos. The flaw could be exploitable when ‘Kerberos encryption types = legacy’ on Samba Active Directory DCs and its members. When Kerberos encryption types are set to Legacy on both Samba AD DC servers and clients, it forces rc4-hmac as a client even if the server supports aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96. Successful exploitation of this vulnerability would allow the attacker to gain administrator privileges. Please read the full technical details about the flaw here.
“The kerberos rc4-hmac (also known as arcfour-hmac-md5) cipher is weak, as the checksum is calculated as HMAC-MD5(MD5(DATA), KEY) meaning that an active attacker knowing the plaintext data could create a different chosen DATA, with the same MD5 checksum, and substitute it into an signed but un-encrypted data stream without being detected. (Encrypted connections, which are more typical, are not impacted).
Because of the earlier MD5 step, the protection of the HMAC is bypassed and an attacker does not need to know the key.”
– samba
| Associated CVE ID | CVE-2022-37966 |
| Description | A high severity privilege escalation vulnerability in Kerberos. |
| Associated ZDI ID | – |
| CVSS Score | 8.1 High |
| Vector | CVSS:v3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | High |
| Privilege Required (PR) | None |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
CVE-2022-37967:
The flaw is a high-severity privilege escalation vulnerability in Kerberos. The flaw could be exploitable when there is a service account with specially constrained delegation permission. Successful exploitation of this vulnerability could forge a more powerful ticket than the one it was presented with. This would allow the attacker to gain administrator privileges. Please read the full technical details about the flaw here.
| Associated CVE ID | CVE-2022-37967 |
| Description | A high severity privilege escalation vulnerability in Kerberos. |
| Associated ZDI ID | – |
| CVSS Score | 7.2 High |
| Vector | CVSS:v3.1:AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | Low |
| Privilege Required (PR) | High |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
CVE-2022-45141:
The flaw exists in Heimdal. The flaw could be exploitable when there is an older version of Heimdal. This allows attackers to select the encryption type and so obtain a ticket encrypted with rc4-hmac, and this force the Samba client to use weak encryption protocols even though the server supports better encryption protocols. Please read the full technical details about the flaw here.
| Associated CVE ID | CVE-2022-45141 |
| Description | A high severity vulnerability in Kerberos tickets in Samba Active Directory domain controller using Heimdal |
| Associated ZDI ID | – |
| CVSS Score | 8.1 High |
| Vector | CVSS:v3.1:AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H |
| Impact Score | – |
| Exploitability Score | – |
| Attack Vector (AV) | Network |
| Attack Complexity (AC) | High |
| Privilege Required (PR) | High |
| User Interaction (UI) | None |
| Scope | Unchanged |
| Confidentiality (C) | High |
| Integrity (I) | High |
| availability (a) | High |
Samba Versions Affected by These Vulnerabilities:
This table helps you learn versions affected by the respective vulnerabilities.
| Vulnerability | Severity | Affected Samba Versions |
| CVE-2022-38023 | 8.1 High | All versions of Samba |
| CVE-2022-37966 | 8.1 High | All versions of Samba using Kerberos |
| CVE-2022-37967 | 7.2 High | All versions of the Samba AD DC |
| CVE-2022-45141 | 8.1 High | Heimdal builds of the Samba AD DC prior to Samba 4.16 |
How to Fix the 4 High-Severity Vulnerabilities in Samba?
Samba has released patches to fix all four vulnerabilities. All these flaws are fixed in versions 4.15.13, 4.16.8, and 4.17.4. Samba users are urged to update to the recommended versions to fix the vulnerabilities.
However, there is a workaround for those who can’t immoderately apply the patch. But, the implementation of a workaround would lead to authentication problems in legacy clients. Please refer to the workaround section of Samba security adversaries of the vulnerabilities to implement the workaround.
| Vulnerability | Workaround |
| CVE-2022-38023 | https://www.samba.org/samba/security/CVE-2022-38023.html |
| CVE-2022-37966 | https://www.samba.org/samba/security/CVE-2022-37966.html |
| CVE-2022-37967 | https://www.samba.org/samba/security/CVE-2022-37967.html |
| CVE-2022-45141 | https://www.samba.org/samba/security/CVE-2022-45141.html |
How to Fix the 4 High-Severity Vulnerabilities in Samba?
We are going to show you how to upgrade the Samba on the Ubuntu server. Please visit the respective Linux distribution website or contact support for other distributions.
Time needed: 10 minutes
How to Fix the 4 High-Severity Vulnerabilities in Samba?
- Check the Samba version on Linux
The first thing to check is the version of the Samba running on your server. Use this command to check the version of Samba on your Linux distribution.
$ sudo smbstatus
OR
$ sudo smbd -V
OR
$ sudo smbd –version
On our server, we have v4.15.6, which is vulnerable to all four vulnerabilities.
- Add Samba PPA to your system
Use this PPA repo to upgrade or install Samba on Ubuntu Linux.
PPA Repository: PPA Repository (Personal Package Archive) is a software repository for Ubuntu and other Debian-based distributions. It allows developers to easily create, host, and maintain their own packages that can be downloaded and installed by users on their systems. PPA repositories are hosted on Launchpad, which is an open-source website that provides hosting services for free software projects.
Users can add PPA repositories to their systems using the “add-apt-repository” command in the terminal or by manually adding the repository address in the Software & Updates application. Once added, packages from a PPA Repository can be installed and updated just like any other package on Ubuntu.
$ sudo add-apt-repository ppa:linux-schools/samba-latest
- Update repository
Update the repository using this below command.
$ sudo apt-get update
- Upgrade or Install Samba from PPA
Install the Samba like a regular installation.
$ sudo apt install samba
OR
$ sudo apt install samba
- Check the Samba version on Linux upon upgrade
Check the version again. If everything goes well, you will see the latest available version of Samba on your machine.
$ sudo smbstatus
OR
$ sudo smbd -V
OR
$ sudo smbd –version
We hope this post would help you know the summary, a few technical details, and finally, how to fix the 4 high-severity vulnerabilities in Samba. Thanks for reading this threat post. Please share this post and help to secure the digital world. Visit our social media page in Facebook, LinkedIn, Twitter, Telegram, Tumblr, Medium & Instagram, and subscribe to receive updates like this.
