CVE CyberSecurity Database News

CVE-2023-0922 - How Samba Exposed Your Reset Passwords Over Unencrypted Connections (With Exploit Example)

Poster -

---

Overview

In early 2023, a major security flaw hit Samba’s Active Directory Domain Controller (AD DC) admin tool. Tagged CVE-2023-0922, this bug exposed new and reset passwords over the network—in cleartext—whenever admins managed users against remote LDAP servers using the default configuration. For organizations relying on Samba for authentication and directory management, this meant attackers could easily intercept sensitive passwords if they were sitting on the same network.

Let’s break down why CVE-2023-0922 happened, what it means for you, and how attackers could exploit this vulnerability, complete with code samples and steps to reproduce the issue.

What is Samba and Why Does This Matter?

Samba is a collection of open-source software that turns a Linux or Unix server into a “Windows-like” file and directory server. Many organizations use its AD DC features to integrate Linux servers into Windows-style authentication worlds, all managed over LDAP.

LDAP (Lightweight Directory Access Protocol) is the protocol used to talk to and manage user information in directories. Sometimes, Samba’s admin tools (like samba-tool) connect to remote LDAP servers for this job.

The Problem: Signed-Only LDAP Sends Passwords in the Clear

By design, Samba’s AD DC administration tool will default to only sign the LDAP connection, not encrypt it. (Think of signatures like wax seals on a letter: the content can still be read in transit, but you know it wasn’t tampered with.)

But the *password* itself goes over the network unencrypted

- Anyone with network access (think: attackers on public Wi-Fi, rogue employees in the office) can sniff and steal the passwords as they are reset.

Demonstration

Let’s illustrate what this looks like with a real example.

1. Setting Up an Attack (MITM) Box

We’ll use tcpdump to sniff passwords from the network.

sudo tcpdump -i eth tcp port 389 -A | grep -i 'newPassword'

Here, we watch traffic on the standard LDAP port (389).

An admin runs

samba-tool user setpassword johndoe --newpassword=SuperSecur3

(Samba by default uses signed LDAP unless you specify otherwise.)

On the attacking machine, our captured output contains

newPassword:SuperSecur3

Boom—clear as day. The new password is visible to anyone watching the network.

Signed (message integrity but NO encryption)

3. Sealed/Encrypted (full transport encryption, protects against eavesdroppers)

Samba’s admin tool mistakenly did NOT bump the connection up to “sealed” when performing password operations—even though passwords are arguably the *most* sensitive.

The Fix: Samba AD CVE-2023-0922 advisory patched the tool so password changes now require a “sealed”/encrypted connection. Otherwise, it throws an error.

Always require encrypted (sealed) LDAP connections, especially for anything involving passwords.

- Update your Samba installation to at least 4.16.10, 4.17.6, or 4.18., where this is fixed.
- Double check your smb.conf and LDAP connection parameters. Always use LDAPS (LDAP over SSL, port 636) where possible.

In Conclusion

CVE-2023-0922 is a classic example of a default configuration exposing deadly secrets. Changing passwords is supposed to *increase* security, but under Samba’s old defaults, it could do the opposite—broadcasting those new passwords to anyone with an antenna in the right spot.

If you use Samba for AD DC or any kind of LDAP management, prioritize updating NOW, audit your configs, and make sure all your password changes travel over truly encrypted pipes.

References

- Official Samba Security Advisory: CVE-2023-0922
- Common Vulnerabilities and Exposures Entry: CVE-2023-0922
- Samba Release Notes and Fix

Timeline

Published on: 04/03/2023 23:15:00 UTC
Last modified on: 04/16/2023 04:15:00 UTC