Alerts This Week
Warning Icon 1 640
Alerts This Week
Warning Icon 1 640

Ubuntu 22.10: USN-5822-1 Critical: Samba Buffer Overflow

ubuntu
Calendar Grey January 24, 2023
Dist Ubuntu Esm H88
Ubuntu Security Notice USN-5823-1 deals with multiple vulnerabilities in the OpenSSH service, informing users on essential upgrades and mitigation steps.
Several security issues were fixed in Samba.

Summary

Several security issues were fixed in Samba.

Software Description:

- samba: SMB/CIFS file, print, and login server for Unix

Details:

It was discovered that Samba incorrectly handled the bad password count

logic. A remote attacker could possibly use this issue to bypass bad

passwords lockouts. This issue was only addressed in Ubuntu 22.10.

(CVE-2021-20251)

Evgeny Legerov discovered that Samba incorrectly handled buffers in

certain GSSAPI routines of Heimdal. A remote attacker could possibly use

this issue to cause Samba to crash, resulting in a denial of service.

(CVE-2022-3437)

Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos

keys. A remote attacker could possibly use this issue to elevate

privileges. (CVE-2022-37966, CVE-2022-37967)

It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure

Channel. A remote attacker could possibly use this issue to elevate

privileges. (CVE-2022-38023)

Greg Hudson discover...

Read the Full Advisory

Update Instructions

The problem can be corrected by updating your system to the following
package versions:

Ubuntu 22.10:
   samba                           2:4.16.8+dfsg-0ubuntu1

Ubuntu 22.04 LTS:
   samba                           2:4.15.13+dfsg-0ubuntu1

Ubuntu 20.04 LTS:
   samba                           2:4.13.17~dfsg-0ubuntu1.20.04.4

This update uses a new upstream release, which includes additional bug
fixes. In general, a standard system update will make all the necessary
changes.

References

https://ubuntu.com/security/notices/USN-5822-1

CVE-2021-20251, CVE-2022-3437, CVE-2022-37966, CVE-2022-37967,

CVE-2022-38023, CVE-2022-42898, CVE-2022-45141

Severity
critical
Lowest
Low
Medium
High
Critical

January 24, 2023

Package Information

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here