Your submission was sent successfully! Close

USN-5542-1: Samba vulnerabilities

1 August 2022

Several security issues were fixed in Samba.

Releases

Packages

  • samba - SMB/CIFS file, print, and login server for Unix

Details

It was discovered that Samba did not handle MaxQueryDuration when being
used in AD DC configurations, contrary to expectations. This issue only
affected Ubuntu 20.04 LTS. (CVE-2021-3670)

Luke Howard discovered that Samba incorrectly handled certain restrictions
associated with changing passwords. A remote attacker being requested to
change passwords could possibly use this issue to escalate privileges.
(CVE-2022-2031)

Luca Moro discovered that Samba incorrectly handled certain SMB1
communications. A remote attacker could possibly use this issue to obtain
sensitive memory contents. (CVE-2022-32742)

Joseph Sutton discovered that Samba incorrectly handled certain password
change requests. A remote attacker could use this issue to change passwords
of other users, resulting in privilege escalation. (CVE-2022-32744)

Joseph Sutton discovered that Samba incorrectly handled certain LDAP add or
modify requests. A remote attacker could possibly use this issue to cause
Samba to crash, resulting in a denial of service. (CVE-2022-32745)

Joseph Sutton and Andrew Bartlett discovered that Samba incorrectly handled
certain LDAP add or modify requests. A remote attacker could possibly use
this issue to cause Samba to crash, resulting in a denial of service.
(CVE-2022-32746)

Update instructions

The problem can be corrected by updating your system to the following package versions:

Ubuntu 22.04
Ubuntu 20.04

The update for Ubuntu 22.04 LTS uses a new upstream release, which includes
additional bug fixes. In general, a standard system update will make all
the necessary changes.