Bug 886153 (CVE-2022-37966, CVE-2022-37967, CVE-2022-38023, CVE-2022-45141)

Summary:	<net-fs/samba-{4.15.13, 4.16.9}: multiple vulnerabilities
Product:	Gentoo Security	Reporter:	John Helmert III <ajak>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	minor	CC:	ajak, ole+gentoo, sam, samba
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://lists.samba.org/archive/samba-announce/2022/000623.html
Whiteboard:	B4 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	893084, 896250
Bug Blocks:

Description John Helmert III archtester

2022-12-15 17:30:34 UTC

"o CVE-2022-37966: This is the Samba CVE for the Windows Kerberos
                  RC4-HMAC Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A Samba Active Directory DC will issue weak rc4-hmac
                  session keys for use between modern clients and servers
                  despite all modern Kerberos implementations supporting
                  the aes256-cts-hmac-sha1-96 cipher.

                  On Samba Active Directory DCs and members
                  'kerberos encryption types = legacy' would force
                  rc4-hmac as a client even if the server supports
                  aes128-cts-hmac-sha1-96 and/or aes256-cts-hmac-sha1-96.

https://www.samba.org/samba/security/CVE-2022-37966.html

o CVE-2022-37967: This is the Samba CVE for the Windows
                  Kerberos Elevation of Privilege Vulnerability
                  disclosed by Microsoft on Nov 8 2022.

                  A service account with the special constrained
                  delegation permission could forge a more powerful
                  ticket than the one it was presented with.

https://www.samba.org/samba/security/CVE-2022-37967.html

o CVE-2022-38023: The "RC4" protection of the NetLogon Secure channel uses the
                  same algorithms as rc4-hmac cryptography in Kerberos,
                  and so must also be assumed to be weak.

https://www.samba.org/samba/security/CVE-2022-38023.html

o CVE-2022-45141: Since the Windows Kerberos RC4-HMAC Elevation of Privilege
                  Vulnerability was disclosed by Microsoft on Nov 8 2022
                  and per RFC8429 it is assumed that rc4-hmac is weak,

                  Vulnerable Samba Active Directory DCs will issue rc4-hmac
                  encrypted tickets despite the target server supporting
                  better encryption (eg aes256-cts-hmac-sha1-96).

https://www.samba.org/samba/security/CVE-2022-45141.html"

Please bump to 4.15.13, 4.16.8, 4.15.13.

Comment 1 Krzysztof Olędzki 2023-01-10 05:51:52 UTC

This bug has been opened for almost a month.

Should I create a separate one requesting version bump to samba-4.15.13 & samba-4.16.8 (and perhaps 4.17.4 which may be a larger change) or is this one sufficient to track the changes?

Comment 2 John Helmert III archtester

2023-01-10 14:18:16 UTC

(In reply to Krzysztof Olędzki from comment #1)
> This bug has been opened for almost a month.
> 
> Should I create a separate one requesting version bump to samba-4.15.13 &
> samba-4.16.8 (and perhaps 4.17.4 which may be a larger change) or is this
> one sufficient to track the changes?

This one is sufficient.

Comment 3 Larry the Git Cow gentoo-dev

2023-02-22 19:37:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdaf50845c6806cd79d92e454d197360a9bd315

commit 6cdaf50845c6806cd79d92e454d197360a9bd315
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-02-22 19:36:36 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-02-22 19:36:51 +0000

    net-fs/samba: cleanup vulnerable 4.16.7-r4
    
    Bug: https://bugs.gentoo.org/886153
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 net-fs/samba/Manifest               |   1 -
 net-fs/samba/samba-4.16.7-r4.ebuild | 368 ------------------------------------
 2 files changed, 369 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2023-09-17 05:56:52 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=5bfe8198b2352fa0ac46dbc59d078650dc544a7e

commit 5bfe8198b2352fa0ac46dbc59d078650dc544a7e
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-09-17 05:56:23 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2023-09-17 05:56:46 +0000

    [ GLSA 202309-06 ] Samba: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/820566
    Bug: https://bugs.gentoo.org/821688
    Bug: https://bugs.gentoo.org/830983
    Bug: https://bugs.gentoo.org/832433
    Bug: https://bugs.gentoo.org/861512
    Bug: https://bugs.gentoo.org/866225
    Bug: https://bugs.gentoo.org/869122
    Bug: https://bugs.gentoo.org/878273
    Bug: https://bugs.gentoo.org/880437
    Bug: https://bugs.gentoo.org/886153
    Bug: https://bugs.gentoo.org/903621
    Bug: https://bugs.gentoo.org/905320
    Bug: https://bugs.gentoo.org/910334
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202309-06.xml | 86 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 86 insertions(+)