WORM vfs module does not block overwrites

Description The vfsworm module is intended to make files immutable over SMB a short time after they are created. The time window in which they are writable is configurable, defaulting to one hour. The hook that handles renames was checking that the file being renamed was still mutable, but it was...

auto-enrolment GPO installing CA certificate over http

Description If the certificate auto-enrollment GPO is enabled on domain members both in Samba's smb.conf and using Windows GPME tool, a CA certificate may be fetched using a plain HTTP connection and installed in the member computer's trust store. This may give an attacker a chance to intercept t...

Unauthenticated Remote Code Execution

Description Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability. Print servers configured with "printing...

Unauthenticated Remote Code Execution

Description Samba file servers and classic non-AD domain controllers offer the SamValidatePasswordChange and SamValidatePasswordReset RPC services on the SAMR DCE/RPC service when running over NCACNIPTCP. Both services pass a username and password to the "check password script" that can be...

Denial of service against AD DC WINS server

Description The Windows Internet Naming Service 1 is an unauthenticated service for registering and looking up names in a NetBIOS network running on TCP and UDP 2. The protocol handlers for the RELEASE and MULTIHOMEREG packets in the WINS server running when Samba is configured as an Active...

Missing access checks on reparse point

Description Starting with Samba 4.21, users can create and delete NTFS-style reparse points https://en.wikipedia.org/wiki/NTFSreparsepoint via the SMB protocol. The Reparse Point Metadata is stored in an extended attribute named "user.SmbReparse" together with the FILEATTRIBUTEREPARSEPOINT bit in...

Command injection via WINS server hook script

Description If a Samba server has WINS support enabled it is off by default, and it has a 'wins hook' parameter specified, the program specified by that parameter will be run whenever a WINS name is changed. The WINS server used by the Samba Active Directory Domain Controller did not validate the...

uninitialized memory disclosure via vfs_streams_xattr

Description An authenticated user can read an unlimited number of samples of discarded heap memory, due to a failure to initialise memory in streamsxattrpwrite in the vfsstreamsxattr file server module. This is achieved by issuing write requests that creates holes in the file. Samba erases known...

Samba AD DC Busy RPC multiple listener DoS

Description Samba as an Active Directory DC operates RPC services from two distinct parts of the codebase. Those services focused on the AD DC are started in the main "samba" process, while services focused on the fileserver and NT4-like DC are started from the new samba-dcerpcd, which is launche...

SMB clients can truncate files with

Description The SMB protocol allows opening files where the client requests read-only access, but then implicitly truncating the opened file if the client specifies a separate OVERWRITE create disposition. This operation requires write access to the file, and in the default Samba configuration th...

Samba AD DC password exposure to privileged

Description In normal operation, passwords and most secrets are never disclosed over LDAP in Active Directory. However, due to a design flaw in Samba's implementation of the DirSync control, Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes, ca...

smbd allows client access to unix domain sockets

Description The SMB 1/2/3 protocols allow clients to connect to named pipes via the IPC$ Inter-Process Communication share for the process of inter-process communication between SMB clients and servers. Since Samba 4.16.0, Samba internally connects client pipe names to unix domain sockets within ...

"rpcecho" development server allows Denial

Description Samba developers have built a non-Windows RPC server known as "rpcecho" to test elements of the Samba DCE/RPC stack under their full control. One RPC function provided by "rpcecho" can block, essentially indefinitely, and because the "rpcecho" service is provided from the main RPC tas...

Samba Spotlight mdssvc RPC Request Type

Description When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the function...

Samba Spotlight mdssvc RPC Request Infinite

Description When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function slunpackloop did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in ...

Spotlight server-side Share Path Disclosure

Description As part of the Spotlight protocol, the initial request returns a path associated with the sharename targeted by the RPC request. Samba returns the real server-side share path at this point, as well as returning the absolute server-side path of results in search queries by clients. Kno...

SMB2 packet signing not enforced

Description SMB2 packet signing is not enforced if an admin configured "server signing = required" or for SMB2 connections to Domain Controllers where SMB2 packet signing is mandatory. SMB2 packet signing is a mechanism that ensures the integrity and authenticity of data exchanged between a clien...

Samba AD users can bypass certain restrictions

Description The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring...

Access controlled AD LDAP attributes can be discovered

== Summary: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assu...

Samba AD DC admin tool samba-tool sends passwords in cleartext

Description Active Directory allows passwords to be set and changed over LDAP. Microsoft's implementation imposes a restriction that this may only happen over an encrypted connection, however Samba does not have this restriction currently. Samba's samba-tool client tool likewise has no restrictio...

Samba AD DC "dnsHostname" attribute can be

Description In implementing the Validated dnsHostName permission check in Samba's Active Directory DC, and therefore applying correctly constraints on the values of a dnsHostName value for a computer in a Samba domain CVE-2022-32743, the case where the dnsHostName is deleted, rather than modified...

RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided

Description This is Samba's response to Microsoft's CVE-2022-3802312. Following RFC8429 and as has been published for CVE-2022-3938, rc4-hmac also known as arcfour-hmac-md5 cryptography in Kerberos is weak, then it follows that the RC4 mode in the NETLOGON Secure Channel DCE/RPC bulk encryption i...

Kerberos constrained delegation ticket

Description Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket including the PAC obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. The...

rc4-hmac Kerberos session keys issued

Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a session key known to the target server and the client, encrypted to both services in a TGS-REP. The key algorithm chosen for here is then used for the subsequent signed or encrypted...

Samba AD DC using Heimdal can be forced to

Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a ticket using a key known to the target server but nobody else, returned to the client in a TGS-REP. This key needs to be of a type understood only by the KDC and target server. However,...

Samba buffer overflow vulnerabilities on 32-bit

Description The Kerberos libraries used by Samba provide a mechanism for authenticating a user or service by means of tickets that can contain Privilege Attribute Certificates PACs. Both the Heimdal and MIT Kerberos libraries, and so the embedded Heimdal shipped by Samba suffer from an integer...

Buffer overflow in Heimdal unwrap_des3()

Description The DES for Samba 4.11 and earlier and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc allocated memory when presented with a maliciously small packet. Examples of where Samba can use GSSAPI include the client and...

Wide links protection broken

Description Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd...

Samba AD users can induce a use-after-free in the

Description Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to its elements without affecting the original message. Each element in a message points to an array of values, and these arrays are shared between the original message and the copy...

Samba AD users can crash the server process with an

Description Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy, the server, receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses an arbitrary element beyond the end of an array. Outcomes achievable by an...

Samba AD users can forge password change requests for

Description Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitab...

Server memory information leak via SMB1.

Description Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1...

Out-of-bounds heap read/write vulnerability

Description All versions of Samba prior to 4.13.17 are vulnerable to an out-of-bounds heap read write vulnerability that allows remote attackers to execute arbitrary code as root on affected Samba installations that use the VFS module vfsfruit. The specific flaw exists within the parsing of EA...

Samba AD users with permission to write to

Description The Samba AD DC includes checks when adding service principals names SPNs to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that...

Information leak via symlinks of existance of

Description All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this atta...

Symlink race error can allow directory creation

Description All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available...

Kerberos acceptors need easy access to stable

Description In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which mea...

Subsequent DCE/RPC fragment injection vulnerability

Description Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request payloads are exchanged and fragmented into several pieces. If this happens over...

SMB1 client connections can be downgraded to plaintext authentication

Description An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended security spnego capability. Without mandatory SMB signing the protocol can be downgrad...

A user in an AD Domain could become root on

Description Windows Active Directory AD domains have by default a feature to allow users to create computer accounts, controlled by ms-DS-MachineAccountQuota. In addition some presumably trusted users have the right to create new users or computers in both Samba and Windows Active Directory...

Use after free in Samba AD DC RPC server

Description In DCE/RPC it is possible to share the handles cookies for resource state between multiple connections via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb database. However while the database was correctly shared, the user credentials...

Samba AD DC did not always rely on the SID

Description Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication. These names are often then used for authorization. However Microsoft Windows and Active Direcory is SID-based. SIDs in Windows, similar to UIDs in Linux/Unix if managed well...

Samba AD DC did not do suffienct access and

Description Samba as an Active Directory Domain Controller has to take care to protect a number of sensitive attributes, and to follow a security model from Active Directory that relies totally on the intersection of NT security descriptors and the underlying X.500 Directory Access Protocol as th...

Samba AD DC did not correctly sandbox

Description Samba as an Active Directory Domain Controller is able to support an RODC, which is meant to have minimal privileges in a domain. However, in accepting a ticket from a Samba or Windows RODC, Samba was not confirming that the RODC is authorized to print such a ticket, via the...

Negative idmap cache entries can cause incorrect

Description The Samba smbd file server must map Windows group identities SIDs into unix group ids gids. The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could caus...

Out of bounds read in AD DC LDAP server

Description A string in an LDAP attribute that contains multiple consecutive leading spaces can lead to a memmove of out of bounds memory in ldbhandlerfold. ldbhandlerfold is used by case insensitive strings - that is most string attributes - in Active Directory. As the search expression is...

Heap corruption via crafted DN strings

Description A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to be written into out-of-bounds memory. An LDAP bind request can send a strin...

Missing handle permissions check in SMB1/2/3

Description The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can request file name notification on a directory handle when a condition such as "new file creation" or "file size change" or "file timestamp update" occurs. A missing permissions check on a directory handle...

An authenticated user can crash the DCE/RPC DNS with

Description Some DNS records such as MX and NS records usually contain data in the additional section. Samba's dnsserver RPC pipe which is an administrative interface not used in the DNS server itself made an error in handling the case where there are no records present: instead of noticing the...

Unprivileged user can crash winbind

Description winbind in version 3.6 and later implements a request to translate multiple Windows SIDs into names in one request. This was done for performance reasons: Active Directory domain controllers can do multiple SID to name translations in one RPC call. It was an obvious extension to also...