Ubuntu 23.10 : Samba vulnerabilities (USN-6425-3)

2023-10-1800:00:00

www.tenable.com

ubuntu

samba

vulnerabilities

smb protocol

samba vfs

active directory

rpcecho server

denial of service

nessus

7.5 High

CVSS3

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H

7.2 High

AI Score

Confidence

High

0.002 Low

EPSS

Percentile

51.8%

JSON

The remote Ubuntu 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-6425-3 advisory.

The vulnerability exists due to an error in the way SMB protocol implementation in Samba handles file operations. A remote user can request read-only access to files and then truncate them to 0 bytes by opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf setting acl_xattr:ignore system acls = yes. (CVE-2023-4091)
The vulnerability exists due to a design error in Samba’s implementation of the DirSync control, which can allow replication of critical domain passwords and secrets by Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes. A remote user can obtain sensitive information from the AD DC and compromise the Active Directory. (CVE-2023-4154)
The vulnerability exists due to inclusion of the rpcecho server into production build, which can call sleep() on AD DC. A remote user can request the server block using the rpcecho server and perform a denial of service (DoS) attack. (CVE-2023-42669)
The vulnerability exists due to improper management of internal resources within the application when Samba RPC server is under load, which can lead to incorrect start of servers not built for the AD DC. A remote user can cause a high load to Samba RPC server and perform a denial of service (DoS) attack.
(CVE-2023-42670)

Note that Nessus has not tested for these issues but has instead relied only on the application’s self-reported version number.

#%NASL_MIN_LEVEL 80900
##
# (C) Tenable, Inc.
#
# The descriptive text and package checks in this plugin were
# extracted from Ubuntu Security Notice USN-6425-3. The text
# itself is copyright (C) Canonical, Inc. See
# <https://ubuntu.com/security/notices>. Ubuntu(R) is a registered
# trademark of Canonical, Inc.
##

include('compat.inc');

if (description)
{
  script_id(183272);
  script_version("1.3");
  script_set_attribute(attribute:"plugin_modification_date", value:"2023/11/16");

  script_cve_id(
    "CVE-2023-4091",
    "CVE-2023-4154",
    "CVE-2023-42669",
    "CVE-2023-42670"
  );
  script_xref(name:"IAVA", value:"2023-A-0535");
  script_xref(name:"USN", value:"6425-3");

  script_name(english:"Ubuntu 23.10 : Samba vulnerabilities (USN-6425-3)");

  script_set_attribute(attribute:"synopsis", value:
"The remote Ubuntu host is missing one or more security updates.");
  script_set_attribute(attribute:"description", value:
"The remote Ubuntu 23.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the
USN-6425-3 advisory.

  - The vulnerability exists due to an error in the way SMB protocol implementation in Samba handles file
    operations. A remote user can request read-only access to files and then truncate them to 0 bytes by
    opening files with OVERWRITE disposition when using the acl_xattr Samba VFS module with the smb.conf
    setting acl_xattr:ignore system acls = yes. (CVE-2023-4091)

  - The vulnerability exists due to a design error in Samba's implementation of the DirSync control, which can
    allow replication of critical domain passwords and secrets by Active Directory accounts authorized to do
    some replication, but not to replicate sensitive attributes. A remote user can obtain sensitive
    information from the AD DC and compromise the Active Directory. (CVE-2023-4154)

  - The vulnerability exists due to inclusion of the rpcecho server into production build, which can call
    sleep() on AD DC. A remote user can request the server block using the rpcecho server and perform a
    denial of service (DoS) attack. (CVE-2023-42669)

  - The vulnerability exists due to improper management of internal resources within the application when
    Samba RPC server is under load, which can lead to incorrect start of servers not built for the AD DC. A
    remote user can cause a high load to Samba RPC server and perform a denial of service (DoS) attack.
    (CVE-2023-42670)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version
number.");
  script_set_attribute(attribute:"see_also", value:"https://ubuntu.com/security/notices/USN-6425-3");
  script_set_attribute(attribute:"solution", value:
"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:N/A:N");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N");
  script_set_cvss3_temporal_vector("CVSS:3.0/E:U/RL:O/RC:C");
  script_set_attribute(attribute:"cvss_score_source", value:"CVE-2023-4154");

  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");

  script_set_attribute(attribute:"vuln_publication_date", value:"2023/10/10");
  script_set_attribute(attribute:"patch_publication_date", value:"2023/10/17");
  script_set_attribute(attribute:"plugin_publication_date", value:"2023/10/18");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:23.10");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ctdb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:ldb-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libldb-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libldb2");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libnss-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libpam-winbind");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libsmbclient-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwbclient-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libwbclient0");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-ldb");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-ldb-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:python3-samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:registry-tools");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-ad-dc");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-ad-provision");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-common");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-common-bin");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-dev");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-dsdb-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-libs");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-testsuite");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:samba-vfs-modules");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:smbclient");
  script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:winbind");
  script_set_attribute(attribute:"generated_plugin", value:"current");
  script_set_attribute(attribute:"stig_severity", value:"I");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Ubuntu Local Security Checks");

  script_copyright(english:"Ubuntu Security Notice (C) 2023 Canonical, Inc. / NASL script (C) 2023 and is owned by Tenable, Inc. or an Affiliate thereof.");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l");

  exit(0);
}

include('debian_package.inc');

if ( ! get_kb_item('Host/local_checks_enabled') ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
var os_release = get_kb_item('Host/Ubuntu/release');
if ( isnull(os_release) ) audit(AUDIT_OS_NOT, 'Ubuntu');
os_release = chomp(os_release);
if (! ('23.10' >< os_release)) audit(AUDIT_OS_NOT, 'Ubuntu 23.10', 'Ubuntu ' + os_release);
if ( ! get_kb_item('Host/Debian/dpkg-l') ) audit(AUDIT_PACKAGE_LIST_MISSING);

var cpu = get_kb_item('Host/cpu');
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if ('x86_64' >!< cpu && cpu !~ "^i[3-6]86$" && 's390' >!< cpu && 'aarch64' >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, 'Ubuntu', cpu);

var pkgs = [
    {'osver': '23.10', 'pkgname': 'ctdb', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'ldb-tools', 'pkgver': '2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libldb-dev', 'pkgver': '2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libldb2', 'pkgver': '2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libnss-winbind', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libpam-winbind', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libsmbclient', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libsmbclient-dev', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libwbclient-dev', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'libwbclient0', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'python3-ldb', 'pkgver': '2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'python3-ldb-dev', 'pkgver': '2:2.7.2+samba4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'python3-samba', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'registry-tools', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-ad-dc', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-ad-provision', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-common', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-common-bin', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-dev', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-dsdb-modules', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-libs', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-testsuite', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'samba-vfs-modules', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'smbclient', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'},
    {'osver': '23.10', 'pkgname': 'winbind', 'pkgver': '2:4.18.6+dfsg-1ubuntu2.1'}
];

var flag = 0;
foreach package_array ( pkgs ) {
  var osver = NULL;
  var pkgname = NULL;
  var pkgver = NULL;
  if (!empty_or_null(package_array['osver'])) osver = package_array['osver'];
  if (!empty_or_null(package_array['pkgname'])) pkgname = package_array['pkgname'];
  if (!empty_or_null(package_array['pkgver'])) pkgver = package_array['pkgver'];
  if (osver && pkgname && pkgver) {
    if (ubuntu_check(osver:osver, pkgname:pkgname, pkgver:pkgver)) flag++;
  }
}

if (flag)
{
  security_report_v4(
    port       : 0,
    severity   : SECURITY_WARNING,
    extra      : ubuntu_report_get()
  );
  exit(0);
}
else
{
  var tested = ubuntu_pkg_tests_get();
  if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
  else audit(AUDIT_PACKAGE_NOT_INSTALLED, 'ctdb / ldb-tools / libldb-dev / libldb2 / libnss-winbind / etc');
}

VendorProductVersionCPE
canonicalubuntu_linuxsamba-ad-dcp-cpe:/a:canonical:ubuntu_linux:samba-ad-dc
canonicalubuntu_linuxsamba-ad-provisionp-cpe:/a:canonical:ubuntu_linux:samba-ad-provision
canonicalubuntu_linuxsamba-commonp-cpe:/a:canonical:ubuntu_linux:samba-common
canonicalubuntu_linuxsamba-common-binp-cpe:/a:canonical:ubuntu_linux:samba-common-bin
canonicalubuntu_linuxsamba-devp-cpe:/a:canonical:ubuntu_linux:samba-dev
canonicalubuntu_linuxsamba-dsdb-modulesp-cpe:/a:canonical:ubuntu_linux:samba-dsdb-modules
canonicalubuntu_linuxsamba-libsp-cpe:/a:canonical:ubuntu_linux:samba-libs
canonicalubuntu_linux23.10cpe:/o:canonical:ubuntu_linux:23.10
canonicalubuntu_linuxctdbp-cpe:/a:canonical:ubuntu_linux:ctdb
canonicalubuntu_linuxldb-toolsp-cpe:/a:canonical:ubuntu_linux:ldb-tools

Vendor	Product	Version	CPE
canonical	ubuntu_linux	samba-ad-dc	p-cpe:/a:canonical:ubuntu_linux:samba-ad-dc
canonical	ubuntu_linux	samba-ad-provision	p-cpe:/a:canonical:ubuntu_linux:samba-ad-provision
canonical	ubuntu_linux	samba-common	p-cpe:/a:canonical:ubuntu_linux:samba-common
canonical	ubuntu_linux	samba-common-bin	p-cpe:/a:canonical:ubuntu_linux:samba-common-bin
canonical	ubuntu_linux	samba-dev	p-cpe:/a:canonical:ubuntu_linux:samba-dev
canonical	ubuntu_linux	samba-dsdb-modules	p-cpe:/a:canonical:ubuntu_linux:samba-dsdb-modules
canonical	ubuntu_linux	samba-libs	p-cpe:/a:canonical:ubuntu_linux:samba-libs
canonical	ubuntu_linux	23.10	cpe:/o:canonical:ubuntu_linux:23.10
canonical	ubuntu_linux	ctdb	p-cpe:/a:canonical:ubuntu_linux:ctdb
canonical	ubuntu_linux	ldb-tools	p-cpe:/a:canonical:ubuntu_linux:ldb-tools