[Samba] CVE-2022-38023 and Samba versions

Andrew Bartlett abartlet at samba.org
Thu Jun 8 20:29:33 UTC 2023

On Thu, 2023-06-08 at 15:06 +0000, Jim Brand via samba wrote:
> This is in reference to
> https://www.samba.org/samba/security/CVE-2022-38023.html
> "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued
> as security releases to correct the defect.  Samba administrators are
> advised to upgrade to these releases or apply the patch as soon
> as possible."
> Does this only apply if you are running a Linux DC?  

If you are running Samba as a file server only, then the impact is far
less.  (Even on a DC, see the details under 'CVSSv3 calculation' where
we explain more what would really be required to exploit this).

I recommend setting the smb.conf parameters indicated in 'workaround
and notes', 'reject md5 servers' is the key on the member server.

In any case, updating your windows AD DCs will provide the primary
protection, because the vulnerable protocols just will not be

Andrew Bartlett

Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead                https://catalyst.net.nz/services/samba
Catalyst.Net Ltd

Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group

Samba Development and Support: https://catalyst.net.nz/services/samba

Catalyst IT - Expert Open Source Solutions

More information about the samba mailing list