The version of samba installed on the remote host is prior to 4.16.2-0. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2022-2022-224 advisory.

  - A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to     retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
    (CVE-2016-2124)

  - A flaw was found in the way Samba maps domain users to local users. An authenticated attacker could use     this flaw to cause possible privilege escalation. (CVE-2020-25717)

  - A flaw was found in the way samba, as an Active Directory Domain Controller, is able to support an RODC     (read-only domain controller). This would allow an RODC to print administrator tickets. (CVE-2020-25718)

  - A flaw was found in the way Samba, as an Active Directory Domain Controller, implemented Kerberos name-     based authentication. The Samba AD DC, could become confused about the user a ticket represents if it did     not strictly require a Kerberos PAC and always use the SIDs found within. The result could include total     domain compromise. (CVE-2020-25719)

  - Kerberos acceptors need easy access to stable AD identifiers (eg objectSid). Samba as an AD DC now     provides a way for Linux applications to obtain a reliable SID (and samAccountName) in issued tickets.
    (CVE-2020-25721)

  - Multiple flaws were found in the way samba AD DC implemented access and conformance checking of stored     data. An attacker could use this flaw to cause total domain compromise. (CVE-2020-25722)

  - A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated     attacker with permissions to read or modify share metadata, to perform this operation outside of the     share. (CVE-2021-20316)

  - A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large     DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data,     bypassing the signature requirements. (CVE-2021-23192)

  - In DCE/RPC it is possible to share the handles (cookies for resource state) between multiple connections     via a mechanism called 'association groups'. These handles can reference connections to our sam.ldb     database. However while the database was correctly shared, the user credentials state was only pointed at,     and when one connection within that association group ended, the database would be left pointing at an     invalid 'struct session_info'. The most likely outcome here is a crash, but it is possible that the use-     after-free could instead allow different user state to be pointed at and this might allow more privileged     access. (CVE-2021-3738)

  - All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to     determine if a file or directory exists in an area of the server file system not exported under the share     definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
    (CVE-2021-44141)

  - The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide ...enhanced compatibility     with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver. Samba versions prior to     4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via     specially crafted extended file attributes. A remote attacker with write access to extended file     attributes can execute arbitrary code with the privileges of smbd, typically root. (CVE-2021-44142)

  - The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that     SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an     account modification re-adds an SPN that was previously present on that account, such as one added when a     computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to     perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an     attacker who can intercept traffic can impersonate existing services, resulting in a loss of     confidentiality and integrity. (CVE-2022-0336)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Detections

Analytics

Amazon Linux 2022 : samba (ALAS2022-2022-224)

high Nessus Plugin ID 168583

Version 1.4

Version 1.3

Version 1.2

Version 1.4 Feb 3, 2023, 4:05 PM Exploit attributes ("Exploitability ease" changed from "No known exploits are available" to "Exploits are available") Exploit attributes ("Exploit available" set to "True") Exploit attributes ("Exploited by malware" set to "True") CVSS temporal metrics ("CVSSv2 temporal vector" set to "CVSS2#E:H/RL:OF/RC:C") CVSS temporal metrics ("CVSSv3 temporal vector" set to "CVSS:3.0/E:H/RL:O/RC:C") Plugin Feed: 202302031605
Version 1.3 Dec 29, 2022, 11:58 AM IAVM reference Plugin Feed: 202212291158
Version 1.2 Dec 10, 2022, 7:52 AM New Plugin Feed: 202212100752