CVE-2022-29869
https://notcve.org/view.php?id=CVE-2022-29869
cifs-utils through 6.14, with verbose logging, can cause an information leak when a file contains = (equal sign) characters but is not a valid credentials file. cifs-utils versiones hasta 6.14, con registro detallado, puede causar un filtrado de información cuando un archivo contiene caracteres = (signo de igualdad) pero no es un archivo de credenciales válido • https://github.com/piastry/cifs-utils/commit/8acc963a2e7e9d63fe1f2e7f73f5a03f83d9c379 https://github.com/piastry/cifs-utils/pull/7 https://lists.debian.org/debian-lts-announce/2022/05/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WBOLMANBYJILXQKRRK7OCR774PXJAYY https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HXKZLJYJJEC3TIBFLXUORRMZUKG5W676 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message • CWE-532: Insertion of Sensitive Information into Log File •
CVE-2022-27239
https://notcve.org/view.php?id=CVE-2022-27239
In cifs-utils through 6.14, a stack-based buffer overflow when parsing the mount.cifs ip= command-line argument could lead to local attackers gaining root privileges. En cifs-utils versiones hasta 6.14, un desbordamiento del búfer en la región stack de la memoria cuando es analizado el argumento de línea de comandos mount.cifs ip= podría conllevar a que atacantes locales obtuvieran privilegios de root • http://wiki.robotz.com/index.php/Linux_CIFS_Utils_and_Samba https://bugzilla.samba.org/show_bug.cgi?id=15025 https://bugzilla.suse.com/show_bug.cgi?id=1197216 https://github.com/piastry/cifs-utils/pull/7 https://github.com/piastry/cifs-utils/pull/7/commits/955fb147e97a6a74e1aaa65766de91e2c1479765 https://lists.debian.org/debian-lts-announce/2022/05/msg00020.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5WBOLMANBYJILXQKRRK7OCR774PXJAYY https://lists& • CWE-787: Out-of-bounds Write •
CVE-2021-44141 – samba: Information leak via symlinks of existance of files or directories outside of the exported share
https://notcve.org/view.php?id=CVE-2021-44141
All versions of Samba prior to 4.15.5 are vulnerable to a malicious client using a server symlink to determine if a file or directory exists in an area of the server file system not exported under the share definition. SMB1 with unix extensions has to be enabled in order for this attack to succeed. Todas las versiones de Samba anteriores a 4.15.5, son vulnerables a que un cliente malicioso use un enlace simbólico del servidor para determinar si un archivo o directorio se presenta en un área del sistema de archivos del servidor no exportada bajo la definición de recurso compartido. SMB1 con extensiones unix debe estar habilitado para que este ataque tenga éxito A vulnerability was found in Samba due to an insecure link following. By querying a symlink inside the exported share using SMB1 with unix extensions turned on, an attacker can discover if a named or directory exists on the filesystem outside the exported share. • https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2021-44141.html https://access.redhat.com/security/cve/CVE-2021-44141 https://bugzilla.redhat.com/show_bug.cgi?id=2046120 • CWE-59: Improper Link Resolution Before File Access ('Link Following') CWE-200: Exposure of Sensitive Information to an Unauthorized Actor •
CVE-2022-0336
https://notcve.org/view.php?id=CVE-2022-0336
The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity. El DC de Samba AD incluye comprobaciones cuando son añadidos nombres de directores de servicio (SPN) a una cuenta para asegurar que los SPN no presentan alias con los que ya están en la base de datos. • https://access.redhat.com/security/cve/CVE-2022-0336 https://bugzilla.redhat.com/show_bug.cgi?id=2046134 https://bugzilla.samba.org/show_bug.cgi?id=14950 https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2022-0336.html • CWE-276: Incorrect Default Permissions •
CVE-2021-44142 – Samba fruit_pwrite Heap-based Buffer Overflow Remote Code Execution Vulnerability
https://notcve.org/view.php?id=CVE-2021-44142
The Samba vfs_fruit module uses extended file attributes (EA, xattr) to provide "...enhanced compatibility with Apple SMB clients and interoperability with a Netatalk 3 AFP fileserver." Samba versions prior to 4.13.17, 4.14.12 and 4.15.5 with vfs_fruit configured allow out-of-bounds heap read and write via specially crafted extended file attributes. A remote attacker with write access to extended file attributes can execute arbitrary code with the privileges of smbd, typically root. El módulo vfs_fruit de Samba usa atributos de archivo extendidos (EA, xattr) para proporcionar "...compatibilidad mejorada con los clientes SMB de Apple e interoperabilidad con un servidor de archivos AFP de Netatalk 3". Samba versiones anteriores a 4.13.17, 4.14.12 y 4.15.5 con vfs_fruit configurado permiten una lectura y escritura fuera de límites de la pila por medio de atributos de archivo extendidos especialmente diseñados. • https://github.com/horizon3ai/CVE-2021-44142 https://github.com/gudyrmik/CVE-2021-44142 https://github.com/hrsman/Samba-CVE-2021-44142 https://bugzilla.samba.org/show_bug.cgi?id=14914 https://kb.cert.org/vuls/id/119678 https://security.gentoo.org/glsa/202309-06 https://www.samba.org/samba/security/CVE-2021-44142.html https://www.zerodayinitiative.com/blog/2022/2/1/cve-2021-44142-details-on-a-samba-code-execution-bug-demonstrated-at-pwn2own-austin https://access.redhat • CWE-125: Out-of-bounds Read CWE-787: Out-of-bounds Write •