The Samba AD DC prevents denial-of-service attacks by rejecting changes to SPNs that are already present in the database. Due to the nature of SPN aliasing, an attacker who has access to an account can take advantage of this to cause the Samba AD DC to reject changes to existing SPNs. This can be used to cause the AD DC to reject all future changes to existing SPNs. An attacker who has access to an account can take advantage of this to cause the AD DC to accept changes to existing SPNs. This makes it easier for the attacker to change an existing SPN to one that the Samba AD DC does not expect. This can be used to cause the Samba AD DC to accept all future changes to new SPNs. These changes can be made without any user interaction, making it much easier for an attacker with access to an account to make changes to the AD database.

How do I know if my instance is vulnerable?

To determine if your instance is vulnerable, perform all of the following steps:
1. Check the Samba AD DC logs on the Samba AD DC for entries that indicate users are trying to change SPNs and get rejected by the DC.
2. Check that you can use net ads dns command to add a new SPN without being rejected by the DC.
3. Check that you can use net ads dns command to remove an existing SPN without being rejected by the DC.
4. Check that you cannot create a new SPN in a directory outside of what is allowed in the schema file, such as creating a SPN in /etc or creating a new one in user instead of system.

Products Affected

Samba, Samba Active Directory Domain Controller

Overview

Maintaining a secure environment is critical for the success of any organization. The Samba AD DC prevents denial-of-service attacks by rejecting changes to SPNs that are already present in the database. Due to the nature of SPN aliasing, an attacker who has access to an account can take advantage of this to cause the Samba AD DC to reject changes to existing SPNs. This can be used to cause the AD DC to reject all future changes to existing SPNs. An attacker who has access to an account can take advantage of this to cause the AD DC to accept changes to existing SPNs. This makes it easier for the attacker to change an existing SPN to one that the Samba AD DC does not expect. This can be used to cause the Samba AD DC to accept all future changes (i.e., new) and new SPNs without any user interaction, making it much easier for an attacker with access o fan account o fan account o fan account o fan account
to make changes t otheADdatabase.

CVE-2022-0338

The Samba AD DC allows remote attackers to change the password for a service account. Due to the nature of SPN aliasing, an attacker who has access to an account can take advantage of this to cause the Samba AD DC to accept changes to existing SPNs. This makes it easier for the attacker to change an existing SPN to one that the Samba AD DC does not expect. This can be used to cause the Samba AD DC to accept all future changes to new SPNs. These changes can be made without any user interaction, making it much easier for an attacker with access to an account to make changes to the AD database.

Vulnerability Discovery

The vulnerability was discovered by the Samba AD DC's sysadm user.