Samba has released three security updates that fix issues that could lead to passwords and BitLocker Recovery keys theft. All versions of Samba since 4.0 prior to 4.16.10, 4.17.7, and 4.18.1. are affected by these vulnerabilities and CISA urges administrators to update their devices as soon as possible. Use the linked Lansweeper audit to quickly get an overview of which devices need an update in your IT environment.
The most severe vulnerability is CVE-2023-0614. This vulnerability can disclose confidential AD attributes via LDAP filters and in the worst-case scenario, can lead to BitLocker recovery keys being disclosed. The Samba team has attempted to fix this vulnerability four times already, but the fix has proven insufficient every time.
CVE-2023-0922 is a vulnerability that can lead to password theft. This can happen when the Samba AD DC administration tool, when operating against a remote LDAP server, will (by default) send new or reset passwords over a signed-only connection. Attackers observing the network traffic between samba-tool and the Samba AD DC can that way retrieve those passwords.
Lastly, we have CVE-2023-0225. This vulnerability caused by an incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.
Samba Updates Released
The Samba team lists that all versions of Samba since 4.0 prior to 4.16.10, 4.17.7, and 4.18.1 are affected by these vulnerabilities. All affected releases are listed on Samba's Security Advisories which can be accessed, along with the patches addressing the issues via their Security Releases page.
Discover Vulnerable Devices
Samba's security advisories list all affected versions, as well as the version numbers that contain the new fixes. We've used this information to create a special Lansweeper report that will provide a list of all devices in your environment that could be affected by the vulnerabilities. This way you have an actionable list of devices that might require a patch or update.
Samba April 2023 CVE Codes & Descriptions
|CVE ID||Description||Base Score|
|CVE-2023-0225||An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory.||5.4|
|CVE-2023-0922||The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection.||5.9|
|CVE-2023-0614||The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assume they have been obtained and need replacing.||7.7|