Bugzilla – Bug 1209483
VUL-0: CVE-2023-0225: samba: AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users.
Last modified: 2024-05-06 08:35:41 UTC
=========================================================== == Subject: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users. == == CVE ID#: CVE-2023-0225 == == Versions: Samba 4.17.0 and later versions == == Summary: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. =========================================================== =========== Description =========== In implementing the Validated dnsHostName permission check in Samba's Active Directory DC, and therefore applying correctly constraints on the values of a dnsHostName value for a computer in a Samba domain (CVE-2022-32743), the case where the dnsHostName is deleted, rather than modified or added, was incorrectly handled. Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion of the dnsHostName attribute became possible for authenticated but otherwise unprivileged users, for any object. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4) ========== Workaround ========== The AD DC LDAP server is a critical component of the AD DC, and it should not be disabled. However it can be disabled by setting server services = -ldap in the smb.conf and restarting Samba ======= Credits ======= Originally reported by Lukas Mitter of codemanufaktur GmbH. Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst and the Samba Team. Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== from https://bugzilla.samba.org/show_bug.cgi?id=15276
SUSE-SU-2023:1687-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1201490, 1207416, 1209481, 1209483, 1209485 CVE References: CVE-2022-32746, CVE-2023-0225, CVE-2023-0614, CVE-2023-0922 Sources used: SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Real Time 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Server 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro 5.1 (src): ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1689-1: An update that solves four vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1201490, 1207416, 1207723, 1207996, 1209481, 1209483, 1209485 CVE References: CVE-2022-32746, CVE-2023-0225, CVE-2023-0614, CVE-2023-0922 Sources used: openSUSE Leap Micro 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 openSUSE Leap 15.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro 5.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 Basesystem Module 15-SP4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Reassign to security team to close it.
done, closing