This is in reference to https://www.samba.org/samba/security/CVE-2022-38023.html "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible." Does this only apply if you are running a Linux DC? We are not and are running these Samba versions Linux 7 samba-4.10.16-24 Linux 6 samba-4.10.16-20 Will these be affected? Thanks, Jim Brand Union Pacific Railroad Distributed Engineering & Architecture (DEA) (402) 544-7430 "The How Matters" This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.
On 08/06/2023 16:06, Jim Brand via samba wrote:> This is in reference to > > https://www.samba.org/samba/security/CVE-2022-38023.html > > > "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued > as security releases to correct the defect. Samba administrators are > advised to upgrade to these releases or apply the patch as soon > as possible." > > Does this only apply if you are running a Linux DC?I very much doubt it, a Samba DC is trying its hardest to be compatible with a Windows DC, so NETLOGON is going to be the same and use the same cyphers.> We are not and are running these Samba versions> > Linux 7 samba-4.10.16-24 > Linux 6 samba-4.10.16-20 > > Will these be affected?Yes, you need to check if red-hat has patched Samba (not sure if RHEL6 will have been. Rowland
On Thu, 2023-06-08 at 15:06 +0000, Jim Brand via samba wrote:> This is in reference to > > https://www.samba.org/samba/security/CVE-2022-38023.html > > > > "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued > as security releases to correct the defect. Samba administrators are > advised to upgrade to these releases or apply the patch as soon > as possible." > > Does this only apply if you are running a Linux DC?If you are running Samba as a file server only, then the impact is far less. (Even on a DC, see the details under 'CVSSv3 calculation' where we explain more what would really be required to exploit this). I recommend setting the smb.conf parameters indicated in 'workaround and notes', 'reject md5 servers' is the key on the member server. In any case, updating your windows AD DCs will provide the primary protection, because the vulnerable protocols just will not be available. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions