Headline
CVE-2023-0225: Samba - Security Announcement Archive
A flaw was found in Samba. An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
CVE-2023-0225.html:
=========================================================== == Subject: Samba AD DC “dnsHostname” attribute can be deleted by unprivileged authenticated users. == == CVE ID#: CVE-2023-0225 == == Versions: Samba 4.17.0 and later versions == == Summary: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. ===========================================================
=========== Description ===========
In implementing the Validated dnsHostName permission check in Samba’s Active Directory DC, and therefore applying correctly constraints on the values of a dnsHostName value for a computer in a Samba domain (CVE-2022-32743), the case where the dnsHostName is deleted, rather than modified or added, was incorrectly handled.
Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion of the dnsHostName attribute became possible for authenticated but otherwise unprivileged users, for any object.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
========== Workaround ==========
The AD DC LDAP server is a critical component of the AD DC, and it should not be disabled. However it can be disabled by setting
server services = -ldap
in the smb.conf and restarting Samba
======= Credits =======
Originally reported by Lukas Mitter of codemanufaktur GmbH.
Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst and the Samba Team.
Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it.