Bug 13485

Summary: [CVE 21] samba 4.15.5 CVEs found
Product: [ROSA-based products] ROSA Fresh Reporter: Yury <y.tumanov>
Component: System (kernel, glibc, systemd, bash, PAM...)Assignee: ROSA Linux Bugs <bugs>
Status: RESOLVED DUPLICATE QA Contact: ROSA Linux Bugs <bugs>
Severity: normal    
Priority: Normal CC: e.kosachev, m.novosyolov, s.matveev, v.potapov, y.tumanov
Version: AllFlags: y.tumanov: secteam_verified?
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: CVE-2021-20251, CVE-2021-20254, CVE-2021-20277, CVE-2021-23192, CVE-2022-44640, CVE-2023-0614, CVE-2023-34966, CVE-2023-34967, CVE-2023-34968,
Whiteboard:
Platform: 2021.1 ROSA Vulnerability identifier:
RPM Package: ISO-related:
Bad POT generating: Upstream:

Description Yury 2023-08-23 16:21:15 MSK 
Please patch CVEs for package samba version 4.15.5
  
INFO (CVEs are): samba 4.15.5
 cves found
CVE-2021-20251
Desc: A flaw was found in samba. A race condition in the password lockout code may lead to the risk of brute force attacks being successful if special conditions are met.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20251
Severity: MEDIUM
CVE-2021-20254
Desc: A flaw was found in samba. The Samba smbd file server must map Windows group identities (SIDs) into unix group ids (gids). The code that performs this had a flaw that could allow it to read data beyond the end of the array in the case where a negative cache entry had been added to the mapping cache. This could cause the calling code to return those values into the process token that stores the group membership for a user. The highest threat from this vulnerability is to data confidentiality and integrity.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20254
Severity: MEDIUM
CVE-2021-20277
Desc: A flaw was found in Samba's libldb. Multiple, consecutive leading spaces in an LDAP attribute can lead to an out-of-bounds memory write, leading to a crash of the LDAP server process handling the request. The highest threat from this vulnerability is to system availability.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-20277
Severity: HIGH
CVE-2021-23192
Desc: A flaw was found in the way samba implemented DCE/RPC. If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.
Link: https://nvd.nist.gov/vuln/detail/CVE-2021-23192
Severity: HIGH
CVE-2022-44640
Desc: Heimdal before 7.7.1 allows remote attackers to execute arbitrary code because of an invalid free in the ASN.1 codec used by the Key Distribution Center (KDC).
Link: https://nvd.nist.gov/vuln/detail/CVE-2022-44640
Severity: CRITICAL
CVE-2023-0614
Desc: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure vi LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-0614
Severity: MEDIUM
CVE-2023-34966
Desc: An infinite loop vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets sent by the client, the core unmarshalling function sl_unpack_loop() did not validate a field in the network packet that contains the count of elements in an array-like structure. By passing 0 as the count value, the attacked function will run in an endless loop consuming 100% CPU. This flaw allows an attacker to issue a malformed RPC request, triggering an infinite loop, resulting in a denial of service condition.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34966
Severity: HIGH
CVE-2023-34967
Desc: A Type Confusion vulnerability was found in Samba's mdssvc RPC service for Spotlight. When parsing Spotlight mdssvc RPC packets, one encoded data structure is a key-value style dictionary where the keys are character strings, and the values can be any of the supported types in the mdssvc protocol. Due to a lack of type checking in callers of the dalloc_value_for_key() function, which returns the object associated with a key, a caller may trigger a crash in talloc_get_size() when talloc detects that the passed-in pointer is not a valid talloc pointer. With an RPC worker process shared among multiple client connections, a malicious client or attacker can trigger a process crash in a shared RPC mdssvc worker process, affecting all other clients this worker serves.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34967
Severity: MEDIUM
CVE-2023-34968
Desc: A path disclosure vulnerability was found in Samba. As part of the Spotlight protocol, Samba discloses the server-side absolute path of shares, files, and directories in the results for search queries. This flaw allows a malicious client or an attacker with a targeted RPC request to view the information that is part of the disclosed path.
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-34968
Severity: MEDIUM
Comment 1 Vladimir Potapov 2023-10-20 11:49:44 MSK 

*** This bug has been marked as a duplicate of bug 13935 ***