What are you looking for ?
Advertise with us
Advertise with us

Asustor Security Advisory AS-2022-017: Samba

Samba team released security updates to address vulnerabilities in multiple versions of Samba.

Asustor, Inc. had published a security advisory concerning CVE-2022-38023 allow remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM NAS OS with SMB service enabled.

Severity: Moderate
Status: Ongoing

Statement:
The Samba Team has released security updates to address vulnerabilities in multiple versions of Samba.

CVE-2022-38023 allow remote authenticated users to bypass security constraint and conduct attacks via a susceptible version of ADM NAS OS with SMB service enabled.

The best solution for CVE-2022-37966 should be applied on the AD Server, please refer to Mitigation for details.

CVE-2022-37967 and CVE-2022-45141 will not affect current Asustor products as this vulnerability only affect AD DC features that ADM didn’t support.

  • Samba package has been updated on ADM 4.2.0.RE71 NAS OS to fix these potential vulnerabilities.

Affected products:

Product

Severity

Fixed release availability

ADM 4.2 and 4.1

Moderate

Upgrade to 4.2.0.RE71 or above.

ADM 4.0

Moderate

Ongoing

Mitigation:
For CVE-2022-37966:
For trusted domains you should explicitly configure the use of aes256-cts-hmac-sha1-96 support, either via the Windows GUI or the newly added ‘samba-tool domain trust modify –use-aes-keys’. For legacy trusts against Windows 2000/2003 domains you need to force rc4-hmac using ‘samba-tool domain trust modify –no-aes-keys’. Against remote DCs (including Windows) you can use the –local-dc-ipaddress= and other –local-dc-* options. See ‘samba-tool domain trust modify –help’ for further details.

Detail:

  • CVE-2022-37966
    • Severity: Moderate
    • Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.
  • CVE-2022-37967
    • Severity: Not affected
    • Windows Kerberos Elevation of Privilege Vulnerability.
  • CVE-2022-38023
    • Severity: Moderate
    • Netlogon RPC Elevation of Privilege Vulnerability.
  • CVE-2022-45141
    • Severity: Not affected
    • Reserved

Reference:

Revision:

Revision

Date

Description

1

2022-12-27

Initial public release.

2

2023-02-08

Release ADM 4.2.0.RE71 to update Samba package for fixing these potential vulnerabilities.

Articles_bottom
ExaGrid
AIC
ATTOtarget="_blank"
OPEN-E
RAIDON