Asustor Security Advisory 2022-017: Samba
Samba Team released security updates to address vulnerabilities in multiple versions of Samba.
This is a Press Release edited by StorageNewsletter.com on January 3, 2023 at 2:00 pmAsustor, Inc. had published a security advisory concerning vulnerabilities in multiple versions of Samba.
Severity: Moderate
Status: Ongoing
Statement
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.
CVE-2022-38023 allow remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM with SMB service enabled.
The best solution for CVE-2022-37966 should be applied on the AD Server, please refer to Mitigation for details.
CVE-2022-37967 and CVE-2022-45141 will not affect current Asustor products as this vulnerability only affect AD DC features that ADM didn’t support.
Affected products:
-
Product
Severity
Fixed release availability
ADM 4.2 and 4.1
Moderate
Ongoing
ADM 4.0
Moderate
Ongoing
Mitigation
For CVE-2022-37966:
For trusted domains you should explicitly configure the use of aes256-cts-hmac-sha1-96 support, either via the Windows GUI or the newly added ‘samba-tool domain trust modify –use-aes-keys’. For legacy trusts against Windows 2000/2003 domains you need to force rc4-hmac using ‘samba-tool domain trust modify –no-aes-keys’. Against remote DCs (including Windows) you can use the –local-dc-ipaddress= and other –local-dc-* options. See ‘samba-tool domain trust modify –help’ for further details.
Detail
- CVE-2022-37966
- Severity: Moderate
- Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.
- CVE-2022-37967
- Severity: Not affected
- Windows Kerberos Elevation of Privilege Vulnerability.
- CVE-2022-38023
- Severity: Moderate
- Netlogon RPC Elevation of Privilege Vulnerability.
- CVE-2022-45141
- Severity: Not affected
- Reserved
Reference
- Samba Security Releases
- Samba Releases Security Updates
- CVE-2022-37966
- CVE-2022-37967
- CVE-2022-38023
- CVE-2022-45141
Revision
-
Revision
Date
Description
1
2022-12-27
Initial public release