Detections
Analytics

Amazon Linux 2023 : libnetapi, libnetapi-devel, libsmbclient (ALAS2023-2023-032)

critical Nessus Plugin ID 173148

Language:

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-032 advisory.

 2024-02-15: CVE-2016-2124 was added to this advisory.

 2024-02-15: CVE-2021-44141 was added to this advisory.

 2024-02-15: CVE-2021-20316 was added to this advisory.

 2024-02-15: CVE-2020-17049 was added to this advisory.

 A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
 (CVE-2016-2124)

 It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user. (CVE-2020-17049)

 A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share.

 A fix for CVE-2021-20316 will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf (CVE-2021-20316)

 All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. (CVE-2021-43566)

 All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.

 A fix for CVE-2021-44141 for will not be provided for Amazon Linux 1 and Amazon Linux 2. You can mitigate this issue by disabling SMBv1.To do so, add server min protocol = SMB2 to the [global] section of /etc/samba/smb.conf (CVE-2021-44141)

 Samba AD users with permission to write to an account can impersonate arbitrary services (CVE-2022-0336)

 In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. (CVE-2022-1615)

 A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer). (CVE-2022-32742)

 Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it. (CVE-2022-32743)

 A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl. (CVE-2022-32746)

 A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

 Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd escape the configured share path. (CVE-2022-3592)

 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability. (CVE-2022-37966)

 Windows Kerberos Elevation of Privilege Vulnerability. (CVE-2022-37967)

 Netlogon RPC Elevation of Privilege Vulnerability. (CVE-2022-38023)

 Samba AD DC using Heimdal can be forced to issue rc4-hmac encrypted Kerberos tickets (CVE-2022-45141)

Tenable has extracted the preceding description block directly from the tested product security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update samba --releasever=2023.0.20230222 ' to update your system.

See Also

https://alas.aws.amazon.com/AL2023/ALAS-2023-032.html

https://alas.aws.amazon.com/faqs.html

https://alas.aws.amazon.com/cve/html/CVE-2016-2124.html

https://alas.aws.amazon.com/cve/html/CVE-2020-17049.html

https://alas.aws.amazon.com/cve/html/CVE-2021-20316.html

https://alas.aws.amazon.com/cve/html/CVE-2021-43566.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44141.html

https://alas.aws.amazon.com/cve/html/CVE-2022-0336.html

https://alas.aws.amazon.com/cve/html/CVE-2022-1615.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3437.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3592.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32742.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32743.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32746.html

https://alas.aws.amazon.com/cve/html/CVE-2022-37966.html

https://alas.aws.amazon.com/cve/html/CVE-2022-37967.html

https://alas.aws.amazon.com/cve/html/CVE-2022-38023.html

https://alas.aws.amazon.com/cve/html/CVE-2022-45141.html

Plugin Details

Severity: Critical

ID: 173148

File Name: al2023_ALAS2023-2023-032.nasl

Version: 1.6

Type: local

Agent: unix

Published: 3/21/2023

Updated: 12/11/2024

Supported Sensors: Frictionless Assessment AWS, Frictionless Assessment Agent, Nessus Agent, Agentless Assessment, Continuous Assessment, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2020-17049

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-45141

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:libsmbclient, p-cpe:/a:amazon:linux:samba, p-cpe:/a:amazon:linux:samba-pidl, p-cpe:/a:amazon:linux:libsmbclient-debuginfo, p-cpe:/a:amazon:linux:libwbclient, p-cpe:/a:amazon:linux:samba-common-libs, p-cpe:/a:amazon:linux:samba-dcerpc, p-cpe:/a:amazon:linux:samba-libs, p-cpe:/a:amazon:linux:samba-test-libs-debuginfo, p-cpe:/a:amazon:linux:samba-usershares, p-cpe:/a:amazon:linux:samba-vfs-iouring, p-cpe:/a:amazon:linux:samba-winbind-krb5-locator, p-cpe:/a:amazon:linux:samba-common-tools-debuginfo, p-cpe:/a:amazon:linux:samba-debugsource, p-cpe:/a:amazon:linux:samba-test, p-cpe:/a:amazon:linux:samba-client-libs, p-cpe:/a:amazon:linux:samba-client-debuginfo, p-cpe:/a:amazon:linux:libnetapi-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-krb5-locator-debuginfo, p-cpe:/a:amazon:linux:samba-test-libs, p-cpe:/a:amazon:linux:samba-winbind-debuginfo, p-cpe:/a:amazon:linux:libnetapi, p-cpe:/a:amazon:linux:libwbclient-debuginfo, p-cpe:/a:amazon:linux:samba-ldb-ldap-modules-debuginfo, p-cpe:/a:amazon:linux:libwbclient-devel, p-cpe:/a:amazon:linux:samba-winbind-clients, p-cpe:/a:amazon:linux:samba-common-libs-debuginfo, p-cpe:/a:amazon:linux:samba-ldb-ldap-modules, p-cpe:/a:amazon:linux:samba-client-libs-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-clients-debuginfo, p-cpe:/a:amazon:linux:python3-samba-debuginfo, p-cpe:/a:amazon:linux:samba-vfs-iouring-debuginfo, p-cpe:/a:amazon:linux:samba-krb5-printing, p-cpe:/a:amazon:linux:samba-libs-debuginfo, p-cpe:/a:amazon:linux:samba-dcerpc-debuginfo, p-cpe:/a:amazon:linux:samba-winbind, p-cpe:/a:amazon:linux:samba-debuginfo, p-cpe:/a:amazon:linux:python3-samba, p-cpe:/a:amazon:linux:samba-winbind-modules-debuginfo, p-cpe:/a:amazon:linux:samba-dc-libs-debuginfo, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:samba-client, p-cpe:/a:amazon:linux:python3-samba-test, p-cpe:/a:amazon:linux:samba-common-tools, p-cpe:/a:amazon:linux:samba-devel, p-cpe:/a:amazon:linux:samba-common, p-cpe:/a:amazon:linux:libsmbclient-devel, p-cpe:/a:amazon:linux:libnetapi-devel, p-cpe:/a:amazon:linux:samba-dc-libs, p-cpe:/a:amazon:linux:samba-krb5-printing-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-modules, p-cpe:/a:amazon:linux:samba-test-debuginfo, p-cpe:/a:amazon:linux:python3-samba-devel

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2023

Vulnerability Publication Date: 1/10/2022

Reference Information

CVE: CVE-2016-2124, CVE-2020-17049, CVE-2021-20316, CVE-2021-43566, CVE-2021-44141, CVE-2022-0336, CVE-2022-1615, CVE-2022-32742, CVE-2022-32743, CVE-2022-32746, CVE-2022-3437, CVE-2022-3592, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, CVE-2022-45141

IAVA: 2022-A-0020-S, 2022-A-0054-S, 2022-A-0299-S, 2022-A-0447-S, 2023-A-0004-S