Synology-SA-22:10 Samba
Publish Time: 2022-07-29 15:12:19 UTC+8
Last Updated: 2022-08-26 17:48:28 UTC+8
- Severity
- Important
- Status
- Ongoing
Abstract
CVE-2022-32742 allows remote authenticated users to obtain sensitive information via a susceptible version of Synology DiskStation Manager (DSM), Synology Router Manager (SRM) and SMB Service.
CVE-2022-2031, CVE-2022-32744, and CVE-2022-32746 allow remote authenticated users to bypass security constraint and conduct denial-of-service attacks via a susceptible version of Synology Directory Server.
None of Synology's products are affected by CVE-2022-32745 as this vulnerability only affect Samba 4.13 and later.
Affected Products
| Product | Severity | Fixed Release Availability |
|---|---|---|
| DSM 6.2 | Moderate | Ongoing |
| SRM 1.3 | Moderate | Ongoing |
| SRM 1.2 | Moderate | Ongoing |
| DSMUC 3.1 | Not affected | N/A |
| VS Firmware 3.0 | Not affected | N/A |
| VS Firmware 2.3 | Not affected | N/A |
| SMB Service for DSM 7.1 | Moderate | Ongoing |
| SMB Service for DSM 7.0 | Moderate | Ongoing |
| Synology Directory Server for DSM 7.1 | Important | Ongoing |
| Synology Directory Server for DSM 7.0 | Important | Ongoing |
| Synology Directory Server for DSM 6.2 | Important | Ongoing |
Mitigation
If you need immediate assistance, please contact Synology technical support via https://account.synology.com/support.
Detail
CVE-2022-32744
- Severity: Important
- CVSS3 Base Score: 8.8
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
- A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover.
CVE-2022-2031
- Severity: Moderate
- CVSS3 Base Score: 5.4
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
- A flaw was found in Samba. The security vulnerability occurs when KDC and the kpasswd service share a single account and set of keys, allowing them to decrypt each other's tickets. A user who has been requested to change their password, can exploit this flaw to obtain and use tickets to other services.
CVE-2022-32742
- Severity: Moderate
- CVSS3 Base Score: 4.3
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).
CVE-2022-32746
- Severity: Moderate
- CVSS3 Base Score: 5.4
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
- A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32745
- Severity: Not affected
- CVSS3 Base Score: 0.0
- CVSS3 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:N
- A flaw was found in Samba. Samba AD users can cause the server to access uninitialized data with an LDAP add or modify the request, usually resulting in a segmentation fault.
Reference
- Samba Releases Security Updates
- CVE-2022-2031
- CVE-2022-32742
- CVE-2022-32744
- CVE-2022-32745
- CVE-2022-32746
Revision
| Revision | Date | Description |
|---|---|---|
| 1 | 2022-07-29 | Initial public release. |
| 2 | 2022-08-26 | Disclosed vulnerability details. |