Samba AD DC "dnsHostname" attribute can be

Description

In implementing the Validated dnsHostName permission check in Samba’s
Active Directory DC, and therefore applying correctly constraints on
the values of a dnsHostName value for a computer in a Samba domain
(CVE-2022-32743), the case where the dnsHostName is deleted, rather
than modified or added, was incorrectly handled.

Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion
of the dnsHostName attribute became possible for authenticated but
otherwise unprivileged users, for any object.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)

Workaround

The AD DC LDAP server is a critical component of the AD DC, and it
should not be disabled. However it can be disabled by setting

server services = -ldap

in the smb.conf and restarting Samba

Credits

Originally reported by Lukas Mitter of codemanufaktur GmbH.

Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst
and the Samba Team.

Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team