Synopsis
The remote Debian host is missing one or more security-related updates.
Description
The remote Debian 11 host has packages installed that are affected by multiple vulnerabilities as referenced in the dsa-5205 advisory.
- The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd.
However, a vulnerability meant that the kpasswd's principal, when canonicalized, was set to that of the TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest.
This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as if they were TGTs, with the same overall outcome. On the reverse side of the issue, password changes could be effected by presenting TGTs as if they were kpasswd tickets. TGTs having potentially longer lifetimes than kpasswd tickets, the value of a stolen cache containing a TGT was hence increased to an attacker, with the possibility of indefinite control over an account by means of a password change. Finally, kpasswd service tickets would be accepted for changes to one's own password, contrary to the requirement that tickets be acquired with an initial KDC request in such cases. As part of the mitigations, the lifetime of kpasswd tickets has been restricted to a maximum of two minutes. The KDC will not longer accept TGTs with two minutes or less left to live, to make sure it does not accept kpasswd tickets. (CVE-2022-2031)
- Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file. All versions of Samba with SMB1 enabled are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data.
The client cannot control the area of the server memory that is written to the file (or printer).
(CVE-2022-32742)
- Tickets received by the kpasswd service were decrypted without specifying that only that service's own keys should be tried. By setting the ticket's server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an attacker could have the server accept tickets encrypted with any key, including their own. A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts. In addition, the kpasswd service would accept tickets encrypted by the krbtgt key of an RODC, in spite of the fact that RODCs should not have been able to authorise password changes.
(CVE-2022-32744)
- Due to incorrect values used as the limit for a loop and as the 'count' parameter to memcpy(), the server, receiving a specially crafted message, leaves an array of structures partially uninitialised, or accesses an arbitrary element beyond the end of an array. Outcomes achievable by an attacker include segmentation faults and corresponding loss of availability. Depending on the contents of the uninitialised memory, confidentiality may also be affected. (CVE-2022-32745)
- Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to its elements without affecting the original message. Each element in a message points to an array of values, and these arrays are shared between the original message and the copy. The issue arises when a database module adds new values to an existing array. A call to realloc() increases the array's size to accommodate new elements, but at the same time, frees the old array. This leaves the original message element with a dangling pointer to a now-freed array. When the database audit logging module subsequently logs the details of the original message, it will access this freed data, generally resulting in corrupted log output or a crash. The code paths susceptible to this issue are reachable when certain specific attributes, such as userAccountControl, are added or modified. These attributes are not editable by default without having a privilege assigned, such as Write Property. (CVE-2022-32746)
Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.
Solution
Upgrade the samba packages.
For the stable distribution (bullseye), these problems have been fixed in version 2
Plugin Details
File Name: debian_DSA-5205.nasl
Agent: unix
Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus
Risk Information
Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C
Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C
Vulnerability Information
CPE: p-cpe:/a:debian:debian_linux:libpam-winbind, cpe:/o:debian:debian_linux:11.0, p-cpe:/a:debian:debian_linux:samba-dsdb-modules, p-cpe:/a:debian:debian_linux:python3-samba, p-cpe:/a:debian:debian_linux:ctdb, p-cpe:/a:debian:debian_linux:smbclient, p-cpe:/a:debian:debian_linux:winbind, p-cpe:/a:debian:debian_linux:libsmbclient, p-cpe:/a:debian:debian_linux:samba-dev, p-cpe:/a:debian:debian_linux:samba-libs, p-cpe:/a:debian:debian_linux:samba, p-cpe:/a:debian:debian_linux:registry-tools, p-cpe:/a:debian:debian_linux:samba-common-bin, p-cpe:/a:debian:debian_linux:libwbclient-dev, p-cpe:/a:debian:debian_linux:samba-vfs-modules, p-cpe:/a:debian:debian_linux:samba-testsuite, p-cpe:/a:debian:debian_linux:libwbclient0, p-cpe:/a:debian:debian_linux:libsmbclient-dev, p-cpe:/a:debian:debian_linux:libnss-winbind, p-cpe:/a:debian:debian_linux:samba-common
Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l
Exploit Ease: No known exploits are available
Patch Publication Date: 8/11/2022
Vulnerability Publication Date: 7/27/2022