On Thu, 2023-06-08 at 15:06 +0000, Jim Brand via samba wrote:> This is in reference to > > https://www.samba.org/samba/security/CVE-2022-38023.html > > > > "Samba 4.15.13, 4.16.8 and 4.17.4 have been issued > as security releases to correct the defect. Samba administrators are > advised to upgrade to these releases or apply the patch as soon > as possible." > > Does this only apply if you are running a Linux DC?If you are running Samba as a file server only, then the impact is far less. (Even on a DC, see the details under 'CVSSv3 calculation' where we explain more what would really be required to exploit this). I recommend setting the smb.conf parameters indicated in 'workaround and notes', 'reject md5 servers' is the key on the member server. In any case, updating your windows AD DCs will provide the primary protection, because the vulnerable protocols just will not be available. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions
Just to clarify we are only running Samba file servers. And we would certainly add the workarounds in smb.conf But will we have problems communicating with Windows domain controllers if we are still running samba-4.10 after July 2023? Per https://support.microsoft.com/en-us/topic/kb5021130-how-to-manage-the-netlogon-protocol-changes-related-to-cve-2022-38023-46ea3067-3989-4d40-963c-680fd9e8ee25 the July Windows updates will enforce RPC sealing and RPC signing will not be allowed. Does Samba 4.10.16-20/24 use the sealing or the signing netlogon protocol talking to Windows DCs? Thanks, Jim This email and any attachments may contain information that is confidential and/or privileged for the sole use of the intended recipient. Any use, review, disclosure, copying, distribution or reliance by others, and any forwarding of this email or its contents, without the express permission of the sender is strictly prohibited by law. If you are not the intended recipient, please contact the sender immediately, delete the e-mail and destroy all copies.