cve-2022-0336
Vulnerability from cvelistv5
Published
2022-08-29 00:00
Modified
2024-08-02 23:25
Severity ?
Summary
The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.
References
secalert@redhat.comhttps://access.redhat.com/security/cve/CVE-2022-0336Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://bugzilla.redhat.com/show_bug.cgi?id=2046134Issue Tracking, Third Party Advisory
secalert@redhat.comhttps://bugzilla.samba.org/show_bug.cgi?id=14950Issue Tracking, Patch, Vendor Advisory
secalert@redhat.comhttps://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3cPatch, Third Party Advisory
secalert@redhat.comhttps://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400Patch, Third Party Advisory
secalert@redhat.comhttps://security.gentoo.org/glsa/202309-06
secalert@redhat.comhttps://www.samba.org/samba/security/CVE-2022-0336.htmlVendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://access.redhat.com/security/cve/CVE-2022-0336Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.redhat.com/show_bug.cgi?id=2046134Issue Tracking, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://bugzilla.samba.org/show_bug.cgi?id=14950Issue Tracking, Patch, Vendor Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3cPatch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400Patch, Third Party Advisory
af854a3a-2127-422b-91ae-364da2661108https://security.gentoo.org/glsa/202309-06
af854a3a-2127-422b-91ae-364da2661108https://www.samba.org/samba/security/CVE-2022-0336.htmlVendor Advisory
Impacted products
Vendor Product Version
n/a Samba Version: Affects Samba v4.0.0 and later, Fixed in samba v4.13.17, v4.14.12, v4.15.4.
Show details on NVD website

To clipboard 

{
   containers: {
      adp: [
         {
            providerMetadata: {
               dateUpdated: "2024-08-02T23:25:40.210Z",
               orgId: "af854a3a-2127-422b-91ae-364da2661108",
               shortName: "CVE",
            },
            references: [
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://www.samba.org/samba/security/CVE-2022-0336.html",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://bugzilla.samba.org/show_bug.cgi?id=14950",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://bugzilla.redhat.com/show_bug.cgi?id=2046134",
               },
               {
                  tags: [
                     "x_transferred",
                  ],
                  url: "https://access.redhat.com/security/cve/CVE-2022-0336",
               },
               {
                  name: "GLSA-202309-06",
                  tags: [
                     "vendor-advisory",
                     "x_transferred",
                  ],
                  url: "https://security.gentoo.org/glsa/202309-06",
               },
            ],
            title: "CVE Program Container",
         },
      ],
      cna: {
         affected: [
            {
               product: "Samba",
               vendor: "n/a",
               versions: [
                  {
                     status: "affected",
                     version: "Affects Samba v4.0.0 and later, Fixed in samba v4.13.17, v4.14.12, v4.15.4.",
                  },
               ],
            },
         ],
         descriptions: [
            {
               lang: "en",
               value: "The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.",
            },
         ],
         problemTypes: [
            {
               descriptions: [
                  {
                     cweId: "CWE-276",
                     description: "CWE-276 - Incorrect Default Permissions",
                     lang: "en",
                     type: "CWE",
                  },
               ],
            },
         ],
         providerMetadata: {
            dateUpdated: "2023-09-17T08:06:53.455235",
            orgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
            shortName: "redhat",
         },
         references: [
            {
               url: "https://www.samba.org/samba/security/CVE-2022-0336.html",
            },
            {
               url: "https://bugzilla.samba.org/show_bug.cgi?id=14950",
            },
            {
               url: "https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c",
            },
            {
               url: "https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400",
            },
            {
               url: "https://bugzilla.redhat.com/show_bug.cgi?id=2046134",
            },
            {
               url: "https://access.redhat.com/security/cve/CVE-2022-0336",
            },
            {
               name: "GLSA-202309-06",
               tags: [
                  "vendor-advisory",
               ],
               url: "https://security.gentoo.org/glsa/202309-06",
            },
         ],
      },
   },
   cveMetadata: {
      assignerOrgId: "53f830b8-0a3f-465b-8143-3b8a9948e749",
      assignerShortName: "redhat",
      cveId: "CVE-2022-0336",
      datePublished: "2022-08-29T00:00:00",
      dateReserved: "2022-01-21T00:00:00",
      dateUpdated: "2024-08-02T23:25:40.210Z",
      state: "PUBLISHED",
   },
   dataType: "CVE_RECORD",
   dataVersion: "5.1",
   "vulnerability-lookup:meta": {
      nvd: "{\"cve\":{\"id\":\"CVE-2022-0336\",\"sourceIdentifier\":\"secalert@redhat.com\",\"published\":\"2022-08-29T15:15:09.250\",\"lastModified\":\"2024-11-21T06:38:24.290\",\"vulnStatus\":\"Modified\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"The Samba AD DC includes checks when adding service principals names (SPNs) to an account to ensure that SPNs do not alias with those already in the database. Some of these checks are able to be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. An attacker who has the ability to write to an account can exploit this to perform a denial-of-service attack by adding an SPN that matches an existing service. Additionally, an attacker who can intercept traffic can impersonate existing services, resulting in a loss of confidentiality and integrity.\"},{\"lang\":\"es\",\"value\":\"El DC de Samba AD incluye comprobaciones cuando son añadidos nombres de directores de servicio (SPN) a una cuenta para asegurar que los SPN no presentan alias con los que ya están en la base de datos. Algunas de estas comprobaciones pueden omitirse si una modificación de la cuenta vuelve a añadir un SPN que ya estaba presente en esa cuenta, como uno añadido cuando un equipo es unido a un dominio. Un atacante que tenga la capacidad de escribir en una cuenta puede aprovechar esto para llevar a cabo un ataque de denegación de servicio al añadir un SPN que coincida con un servicio existente. Además, un atacante que pueda interceptar el tráfico puede hacerse pasar por los servicios existentes, resultando en una pérdida de confidencialidad e integridad\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":8.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":2.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"secalert@redhat.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-276\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.0\",\"versionEndExcluding\":\"4.13.17\",\"matchCriteriaId\":\"3EEB3465-0B2F-481E-B839-3ABCE85E2299\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.14.0\",\"versionEndExcluding\":\"4.14.12\",\"matchCriteriaId\":\"4E57F9C0-2EA0-4485-B018-665139BA3F42\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.15.0\",\"versionEndExcluding\":\"4.15.4\",\"matchCriteriaId\":\"713AE88D-3F5B-4E80-8E10-692B4925F76B\"}]}]},{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:34:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"A930E247-0B43-43CB-98FF-6CE7B8189835\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:fedoraproject:fedora:35:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"80E516C0-98A4-4ADE-B69F-66A772E2BAAA\"}]}]}],\"references\":[{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-0336\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2046134\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.samba.org/show_bug.cgi?id=14950\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202309-06\",\"source\":\"secalert@redhat.com\"},{\"url\":\"https://www.samba.org/samba/security/CVE-2022-0336.html\",\"source\":\"secalert@redhat.com\",\"tags\":[\"Vendor Advisory\"]},{\"url\":\"https://access.redhat.com/security/cve/CVE-2022-0336\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.redhat.com/show_bug.cgi?id=2046134\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Third Party Advisory\"]},{\"url\":\"https://bugzilla.samba.org/show_bug.cgi?id=14950\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Issue Tracking\",\"Patch\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://github.com/samba-team/samba/commit/c58ede44f382bd0125f761f0479c8d48156be400\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Patch\",\"Third Party Advisory\"]},{\"url\":\"https://security.gentoo.org/glsa/202309-06\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"},{\"url\":\"https://www.samba.org/samba/security/CVE-2022-0336.html\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\",\"tags\":[\"Vendor Advisory\"]}]}}",
   },
}


Log in or create an account to share your comment.

Security Advisory comment format.

This schema specifies the format of a comment related to a security advisory.

UUIDv4 of the comment
UUIDv4 of the Vulnerability-Lookup instance
When the comment was created originally
When the comment was last updated
Title of the comment
Description of the comment
The identifier of the vulnerability (CVE ID, GHSA-ID, PYSEC ID, etc.).



Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.