Amazon Linux 2023 : libnetapi, libnetapi-devel, libsmbclient (ALAS2023-2023-032)

critical Nessus Plugin ID 173148

Synopsis

The remote Amazon Linux 2023 host is missing a security update.

Description

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2023-032 advisory.

- A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
(CVE-2016-2124)

- <p>A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).</p> <p>To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.</p> <p>The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.</p> (CVE-2020-17049)

- A flaw was found in the way Samba handled file/directory metadata. This flaw allows an authenticated attacker with permissions to read or modify share metadata, to perform this operation outside of the share. (CVE-2021-20316)

- All versions of Samba prior to 4.13.16 are vulnerable to a malicious client using an SMB1 or NFS race to allow a directory to be created in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed. (CVE-2021-43566)

- All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed.
(CVE-2021-44141)

- The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity. (CVE-2022-0336)

- In Samba, GnuTLS gnutls_rnd() can fail and give predictable random values. (CVE-2022-1615)

- A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer). (CVE-2022-32742)

- Samba does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute which could permit unprivileged users to write it. (CVE-2022-32743)

- A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl. (CVE-2022-32746)

- A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack. (CVE-2022-3437)

- A symlink following vulnerability was found in Samba, where a user can create a symbolic link that will make 'smbd' escape the configured share path. This flaw allows a remote user with access to the exported part of the file system under a share via SMB1 unix extensions or NFS to create symlinks to files outside the 'smbd' configured share path and gain access to another restricted server's filesystem.
(CVE-2022-3592)

- Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability (CVE-2022-37966)

- Windows Kerberos Elevation of Privilege Vulnerability (CVE-2022-37967)

- Netlogon RPC Elevation of Privilege Vulnerability (CVE-2022-38023)

- Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts- hmac-sha1-96). (CVE-2022-45141)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Run 'dnf update samba --releasever=2023.0.20230222 ' to update your system.

See Also

https://alas.aws.amazon.com/AL2023/ALAS-2023-032.html

https://alas.aws.amazon.com/faqs.html

https://alas.aws.amazon.com/cve/html/CVE-2016-2124.html

https://alas.aws.amazon.com/cve/html/CVE-2020-17049.html

https://alas.aws.amazon.com/cve/html/CVE-2021-20316.html

https://alas.aws.amazon.com/cve/html/CVE-2021-43566.html

https://alas.aws.amazon.com/cve/html/CVE-2021-44141.html

https://alas.aws.amazon.com/cve/html/CVE-2022-0336.html

https://alas.aws.amazon.com/cve/html/CVE-2022-1615.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3437.html

https://alas.aws.amazon.com/cve/html/CVE-2022-3592.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32742.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32743.html

https://alas.aws.amazon.com/cve/html/CVE-2022-32746.html

https://alas.aws.amazon.com/cve/html/CVE-2022-37966.html

https://alas.aws.amazon.com/cve/html/CVE-2022-37967.html

https://alas.aws.amazon.com/cve/html/CVE-2022-38023.html

https://alas.aws.amazon.com/cve/html/CVE-2022-45141.html

Plugin Details

Severity: Critical

ID: 173148

File Name: al2023_ALAS2023-2023-032.nasl

Version: 1.5

Type: local

Agent: unix

Published: 3/21/2023

Updated: 2/20/2024

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: High

Base Score: 9

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C

CVSS Score Source: CVE-2020-17049

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 8.8

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

CVSS Score Source: CVE-2022-45141

Vulnerability Information

CPE: p-cpe:/a:amazon:linux:libsmbclient, p-cpe:/a:amazon:linux:samba, p-cpe:/a:amazon:linux:samba-pidl, p-cpe:/a:amazon:linux:libsmbclient-debuginfo, p-cpe:/a:amazon:linux:libwbclient, p-cpe:/a:amazon:linux:samba-common-libs, p-cpe:/a:amazon:linux:samba-dcerpc, p-cpe:/a:amazon:linux:samba-libs, p-cpe:/a:amazon:linux:samba-test-libs-debuginfo, p-cpe:/a:amazon:linux:samba-usershares, p-cpe:/a:amazon:linux:samba-vfs-iouring, p-cpe:/a:amazon:linux:samba-winbind-krb5-locator, p-cpe:/a:amazon:linux:samba-common-tools-debuginfo, p-cpe:/a:amazon:linux:samba-debugsource, p-cpe:/a:amazon:linux:samba-test, p-cpe:/a:amazon:linux:samba-client-libs, p-cpe:/a:amazon:linux:samba-client-debuginfo, p-cpe:/a:amazon:linux:libnetapi-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-krb5-locator-debuginfo, p-cpe:/a:amazon:linux:samba-test-libs, p-cpe:/a:amazon:linux:samba-winbind-debuginfo, p-cpe:/a:amazon:linux:libnetapi, p-cpe:/a:amazon:linux:libwbclient-debuginfo, p-cpe:/a:amazon:linux:samba-ldb-ldap-modules-debuginfo, p-cpe:/a:amazon:linux:libwbclient-devel, p-cpe:/a:amazon:linux:samba-winbind-clients, p-cpe:/a:amazon:linux:samba-common-libs-debuginfo, p-cpe:/a:amazon:linux:samba-ldb-ldap-modules, p-cpe:/a:amazon:linux:samba-client-libs-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-clients-debuginfo, p-cpe:/a:amazon:linux:python3-samba-debuginfo, p-cpe:/a:amazon:linux:samba-vfs-iouring-debuginfo, p-cpe:/a:amazon:linux:samba-krb5-printing, p-cpe:/a:amazon:linux:samba-libs-debuginfo, p-cpe:/a:amazon:linux:samba-dcerpc-debuginfo, p-cpe:/a:amazon:linux:samba-winbind, p-cpe:/a:amazon:linux:samba-debuginfo, p-cpe:/a:amazon:linux:python3-samba, p-cpe:/a:amazon:linux:samba-winbind-modules-debuginfo, p-cpe:/a:amazon:linux:samba-dc-libs-debuginfo, cpe:/o:amazon:linux:2023, p-cpe:/a:amazon:linux:samba-client, p-cpe:/a:amazon:linux:python3-samba-test, p-cpe:/a:amazon:linux:samba-common-tools, p-cpe:/a:amazon:linux:samba-devel, p-cpe:/a:amazon:linux:samba-common, p-cpe:/a:amazon:linux:libsmbclient-devel, p-cpe:/a:amazon:linux:libnetapi-devel, p-cpe:/a:amazon:linux:samba-dc-libs, p-cpe:/a:amazon:linux:samba-krb5-printing-debuginfo, p-cpe:/a:amazon:linux:samba-winbind-modules, p-cpe:/a:amazon:linux:samba-test-debuginfo, p-cpe:/a:amazon:linux:python3-samba-devel

Required KB Items: Host/local_checks_enabled, Host/AmazonLinux/release, Host/AmazonLinux/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/17/2023

Vulnerability Publication Date: 1/10/2022

Reference Information

CVE: CVE-2016-2124, CVE-2020-17049, CVE-2021-20316, CVE-2021-43566, CVE-2021-44141, CVE-2022-0336, CVE-2022-1615, CVE-2022-32742, CVE-2022-32743, CVE-2022-32746, CVE-2022-3437, CVE-2022-3592, CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, CVE-2022-45141

IAVA: 2022-A-0020-S, 2022-A-0054-S, 2022-A-0299-S, 2022-A-0447-S, 2023-A-0004-S