Samba vulnerability, which allows you to change password to any user

published Correcting issues of the package Samba 4.16.4, 4.15.9 and 4.14.14 with the elimination of 5 vulnerabilities. The release of packet updates in distributions can be traced on the pages: debian , ubuntu , rheel , suse , arch , freedbsd .

The most dangerous service (cve-2022-32744) allows users of the Active Directory domain to change the password of any user, including changing the administrator password and get Full control over the domain. The problem is caused by the fact that KDC accepts KPASSWD requests, encrypted by any known key.

A clumor of access to the domain can send a fictitious request for installing a new password on behalf of another user, encrypting it with its key, and KDC will process it without checking the conformity of the account of the account. Including, for sending fictitious requests, the keys of domain controllers working only in reading mode (RODC), which do not have authority to change passwords, can be used. As a bypass protection method, you can turn off the support of the KPASSWD protocol by adding a line “kpasswd port = 0”

to SMB.conf.

Other vulnerabilities:

  • cve-2022-32746 -users Active Directory through sending specially designed LDAP- Requests “Add” or “Modify” can initiate a memory address after its release (USE-AFTER-FREE)
    In the server process. The problem is caused by the fact that the audit module turns to the contents of LDAP messages after the module of working with the database frees the memory allotted for the message. To make an attack, it is necessary to have rights to add or modify some privileged attributes, such as usoraccountControl.
  • CVE-2022-2031 -Active Directory users can bypass some restrictions on the controller in the controller domain. KDC and the KPASSWD service have the opportunity to decipher each other’s ticks, as they jointly use one set of keys and accounts. Accordingly, the user who requested a password can be used can use the resulting ticket to access other services.
  • cve-2022-32745 -Active Directory users can cause an emergency completion of the server process through sending LDAP checks “ADD” or “Modify”, leading to an appeal to non-property data.

/Media reports.