Asustor Resolved Security Advisory AS-2022-016: Samba

Asustor, Inc. had published a security advisory concerning vulnerabilities in multiple versions of Samba.

Severity: Moderate
Status: Resolved

Statement
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.
CVE-2022-3437 allows remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM with SMB service enabled.

CVE-2022-3592 will not affect the company’s products as this vulnerability only affect Samba 4.17 and later.

CVE-2022-42898 will not affect current Asustor products with ADM 4.1 as this vulnerability only affect 32-bit systems.

• Samba package has been updated on ADM 4.2.0.RC81 to fix these potential vulnerabilities.

• Samba package has been updated on ADM 4.0.6.RCR1 to fix these potential vulnerabilities.

Affected products

Mitigation
The administrators can disable SMB service to mitigate the specific vulnerabilities. In environments where SMB service is still needed, changing your password and using a strong password for SMB client connection authentication can be used as temporary mitigation.

Detail

• CVE-2022-3437

  • Severity: Moderate

  • Reserved

• CVE-2022-3592

  • Severity: Not affected

  • Reserved

• CVE-2022-42898

  • Severity: Not affected

  • PAC parsing in MIT Kerberos 5 (aka krb5) before 1.19.4 and 1.20.x before 1.20.1 has integer overflows that may lead to remote code execution (in KDC, kadmind, or a GSS or Kerberos application server) on 32-bit platforms (which have a resultant heap-based buffer overflow), and cause a denial of service on other platforms. This occurs in krb5_pac_parse in lib/krb5/krb/pac.c. Heimdal before 7.7.1 has ‘a similar bug.’

Reference

• Samba Security Releases

• Samba Releases Security Updates

• CVE-2022-3437

• CVE-2022-3592

• CVE-2022-42898

Revision