[Samba] CVE-2022-38023 and Samba versions
Andrew Bartlett
abartlet at samba.org
Thu Jun 8 20:29:33 UTC 2023
On Thu, 2023-06-08 at 15:06 +0000, Jim Brand via samba wrote:
> This is in reference to
>
> https://www.samba.org/samba/security/CVE-2022-38023.html
>
>
>
> "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued
> as security releases to correct the defect. Samba administrators are
> advised to upgrade to these releases or apply the patch as soon
> as possible."
>
> Does this only apply if you are running a Linux DC?
If you are running Samba as a file server only, then the impact is far
less. (Even on a DC, see the details under 'CVSSv3 calculation' where
we explain more what would really be required to exploit this).
I recommend setting the smb.conf parameters indicated in 'workaround
and notes', 'reject md5 servers' is the key on the member server.
In any case, updating your windows AD DCs will provide the primary
protection, because the vulnerable protocols just will not be
available.
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead https://catalyst.net.nz/services/samba
Catalyst.Net Ltd
Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group
company
Samba Development and Support: https://catalyst.net.nz/services/samba
Catalyst IT - Expert Open Source Solutions
More information about the samba
mailing list