Samba attackers can force an admin password reset

Users of the popular open source Samba networking toolkit need to patch against five vulnerabilities.

The most serious is in the Kerberos kpasswd service, which allows an attacker to change the Administrator account password, leading to “full loss of confidentiality and integrity”, as well as denying users access to their accounts.

Designated CVE-2022-32744, the bug is explained by Sophos’ Paul Ducklin: “Loosely put, attackers could wrangle Samba’s password-changing service, known as kpasswd, through a series of failed password change attempts… until it finally accepted a password change request that was authorised by the attackers themselves.”

There’s a second aspect to the kpasswd bug: “In addition, the kpasswd service would accept tickets encrypted by the krbtgt key of an RODC, in spite of the fact that RODCs should not have been able to authorise password changes,” the advisory stated.

The remaining less-serious vulnerabilities are:

• CVE-2022-2031 – Samba Active Directory (AD) users can bypass some account restrictions, because kpasswd and the Kerberos KDC service share a single account and set of keys;
• CVE-2022-32745 – Samba AD users can send a crafted LDAP add or modify request and crash the server process;
• CVE-2022-32746 – Samba AD users can induce a use-after-free in the server process with an LDAP add or modify request; and
• CVE-2022-32742 – A memory leak exists if SMB1 is enabled.

The patches, for Samba 4.16.3 and 4.16.4, are here.