Bug 1201493 - (CVE-2022-32744) VUL-0: CVE-2022-32744: samba, ldb: AD users can forge password change requests for any user
(CVE-2022-32744)
VUL-0: CVE-2022-32744: samba, ldb: AD users can forge password change request...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/337265/
CVSSv3.1:SUSE:CVE-2022-32744:8.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-07-14 07:15 UTC by Robert Frohl
Modified: 2022-09-06 10:02 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Thomas Leroy 2022-07-26 07:29:06 UTC
Thanks for the submissions! However we also need submission for
SUSE:SLE-11-SP3:Update
SUSE:SLE-12-SP1:Update
SUSE:SLE-12-SP2:Update
SUSE:SLE-12-SP3:Update
SUSE:SLE-15:Update 	
SUSE:SLE-15-SP1:Update 
SUSE:SLE-15-SP2:Update	
SUSE:SLE-15-SP2:Update:Products:SES7:Update
Comment 6 James McDonough 2022-07-26 13:45:16 UTC
(In reply to Thomas Leroy from comment #5)
> Thanks for the submissions! However we also need submission for
> SUSE:SLE-11-SP3:Update
> SUSE:SLE-12-SP1:Update
> SUSE:SLE-12-SP2:Update
> SUSE:SLE-12-SP3:Update
> SUSE:SLE-15:Update 	
These did not have the AD domain controller shipped

> SUSE:SLE-15-SP1:Update 
> SUSE:SLE-15-SP2:Update	
These two had AD domain controller but only as a tech preview, and it would be risky to backport a massive changeset to LTSS-only releases for a tech preview.


> SUSE:SLE-15-SP2:Update:Products:SES7:Update
This did not have the AD domain controller shipped
Comment 7 Thomas Leroy 2022-07-28 07:20:45 UTC
public: https://www.samba.org/samba/security/CVE-2022-32744.html
Comment 8 Swamp Workflow Management 2022-07-29 13:17:08 UTC
SUSE-SU-2022:2586-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Linux Enterprise Micro 5.1 (src):    ldb-2.4.3-150300.3.20.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.8+git.500.d5910280cc7-150300.3.37.1
SUSE Enterprise Storage 7.1 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-07-29 13:20:11 UTC
SUSE-SU-2022:2582-1: An update that solves 5 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.8+git.462.e73f4310487-3.68.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-08-03 22:18:17 UTC
SUSE-SU-2022:2659-1: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap 15.4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    ldb-2.4.3-150400.4.8.1, samba-4.15.8+git.500.d5910280cc7-150400.3.11.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.8+git.500.d5910280cc7-150400.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Gianluca Gabrielli 2022-08-23 12:51:06 UTC
why SLE-12-SP5/ldb got no submission?
Comment 12 Gianluca Gabrielli 2022-08-23 12:52:14 UTC
(In reply to James McDonough from comment #6)
> (In reply to Thomas Leroy from comment #5)
> > SUSE:SLE-15-SP1:Update 
> > SUSE:SLE-15-SP2:Update	
> These two had AD domain controller but only as a tech preview, and it would
> be risky to backport a massive changeset to LTSS-only releases for a tech
> preview.

Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb vulnerable as well?
Comment 13 James McDonough 2022-08-23 14:40:45 UTC
(In reply to Gianluca Gabrielli from comment #12)
> (In reply to James McDonough from comment #6)
> > (In reply to Thomas Leroy from comment #5)
> > > SUSE:SLE-15-SP1:Update 
> > > SUSE:SLE-15-SP2:Update	
> > These two had AD domain controller but only as a tech preview, and it would
> > be risky to backport a massive changeset to LTSS-only releases for a tech
> > preview.
> 
> Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> vulnerable as well?
It does not affect our supported code, only the tech preview.  My above statement explains it.


(In reply to Gianluca Gabrielli from comment #11)
> why SLE-12-SP5/ldb got no submission?

It did not have AD domain controller support, so it is not affected.
Comment 14 Gianluca Gabrielli 2022-08-23 14:58:35 UTC
(In reply to James McDonough from comment #13)
> (In reply to Gianluca Gabrielli from comment #12)
> > (In reply to James McDonough from comment #6)
> > > (In reply to Thomas Leroy from comment #5)
> > > > SUSE:SLE-15-SP1:Update 
> > > > SUSE:SLE-15-SP2:Update	
> > > These two had AD domain controller but only as a tech preview, and it would
> > > be risky to backport a massive changeset to LTSS-only releases for a tech
> > > preview.
> > 
> > Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> > vulnerable as well?
> It does not affect our supported code, only the tech preview.  My above
> statement explains it.
> 
> 
> (In reply to Gianluca Gabrielli from comment #11)
> > why SLE-12-SP5/ldb got no submission?
> 
> It did not have AD domain controller support, so it is not affected.

So only SLE-12-SP5/samba does?
Comment 15 Noel Power 2022-08-23 15:04:34 UTC
(In reply to Gianluca Gabrielli from comment #14)
> (In reply to James McDonough from comment #13)
> > (In reply to Gianluca Gabrielli from comment #12)
> > > (In reply to James McDonough from comment #6)
> > > > (In reply to Thomas Leroy from comment #5)
> > > > > SUSE:SLE-15-SP1:Update 
> > > > > SUSE:SLE-15-SP2:Update	
> > > > These two had AD domain controller but only as a tech preview, and it would
> > > > be risky to backport a massive changeset to LTSS-only releases for a tech
> > > > preview.
> > > 
> > > Should we consider SUSE:SLE-15-SP1:Update/ldb and SUSE:SLE-15-SP1:Update/ldb
> > > vulnerable as well?
> > It does not affect our supported code, only the tech preview.  My above
> > statement explains it.
> > 
> > 
> > (In reply to Gianluca Gabrielli from comment #11)
> > > why SLE-12-SP5/ldb got no submission?
> > 
> > It did not have AD domain controller support, so it is not affected.
> 
> So only SLE-12-SP5/samba does?

so it is CVE-2022-32746 not CVE-2022-32744 that affects ldb (the summary here is misleading). Also in this case the changes to ldb are infrastructure changes needed to fix a bug in samba's domain controller logging module. SLE12-SP5 is not built with domain controller (AD) support thus is not affected
Comment 16 Gianluca Gabrielli 2022-08-23 15:35:47 UTC
Gotcha, thanks for the clarification. 

Can you explain why SR#276311 [0] backports the fix for CVE-2022-32744 to SUSE:SLE-12-SP5:Update/samba?

Moreover, I guess the same can be said for CVE-2022-32745 and CVE-2022-2031, correct?

[0] https://build.suse.de/request/show/276311
Comment 17 Noel Power 2022-08-23 15:41:29 UTC
(In reply to Gianluca Gabrielli from comment #16)
> Gotcha, thanks for the clarification. 
> 
> Can you explain why SR#276311 [0] backports the fix for CVE-2022-32744 to
> SUSE:SLE-12-SP5:Update/samba?
> 
> Moreover, I guess the same can be said for CVE-2022-32745 and CVE-2022-2031,
> correct?
> 
> [0] https://build.suse.de/request/show/276311


it makes more sense to apply the patch (since it was available for the code base regardless of whether it was strictly relevant) for the complete code base (including the ldb sources) in order to keep them as up to date as possible.

Think about a subsequent security fix that depends on code already assumed to be in the release because of a previous security release.

SLE12-SP5 is additionally even more special because samba is built with a bundled version of ldb
Comment 18 Gianluca Gabrielli 2022-08-24 08:35:23 UTC
(In reply to Noel Power from comment #17)
> it makes more sense to apply the patch (since it was available for the code
> base regardless of whether it was strictly relevant) for the complete code
> base (including the ldb sources) in order to keep them as up to date as
> possible.
> 
> Think about a subsequent security fix that depends on code already assumed
> to be in the release because of a previous security release.

Clear, and I agree with you. Wouldn't the same reason apply for SUSE:SLE-12-SP5:Update/ldb too? 
 
> SLE12-SP5 is additionally even more special because samba is built with a
> bundled version of ldb

Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5 samba uses a bundled version ldb?
Comment 19 Noel Power 2022-08-24 08:56:55 UTC
(In reply to Gianluca Gabrielli from comment #18)
> (In reply to Noel Power from comment #17)
> > it makes more sense to apply the patch (since it was available for the code
> > base regardless of whether it was strictly relevant) for the complete code
> > base (including the ldb sources) in order to keep them as up to date as
> > possible.
> > 
> > Think about a subsequent security fix that depends on code already assumed
> > to be in the release because of a previous security release.
> 
> Clear, and I agree with you. Wouldn't the same reason apply for
> SUSE:SLE-12-SP5:Update/ldb too? 
yep but the update would not be as straightforward as updating the bundled ldb version, see below
>  
> > SLE12-SP5 is additionally even more special because samba is built with a
> > bundled version of ldb
> 
> Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> samba uses a bundled version ldb?
no its not we don't care about it, just at the time (under pressure with a sec release) it wasn't high on the priority list because it wasn't strictly necessary. More importantly the ldb version on sle12-sp5 is an older series than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall exactly) why we did not bump the ldb version when we aligned the sle12-sp5 samba version with sle15-sp3/sp4 (ironically because of another security release). This is the reason why ldb is bundled with samba on sle12-sp5. So, the issue here is that is most likely it is not trivial to backport the ldb fixes from ldb2.x to ldb1.x
Comment 20 Gianluca Gabrielli 2022-08-24 11:28:41 UTC
(In reply to Noel Power from comment #19)
> (In reply to Gianluca Gabrielli from comment #18)
> > (In reply to Noel Power from comment #17)
> > > SLE12-SP5 is additionally even more special because samba is built with a
> > > bundled version of ldb
> > 
> > Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> > samba uses a bundled version ldb?
> no its not we don't care about it, just at the time (under pressure with a
> sec release) it wasn't high on the priority list because it wasn't strictly
> necessary. More importantly the ldb version on sle12-sp5 is an older series
> than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall
> exactly) why we did not bump the ldb version when we aligned the sle12-sp5
> samba version with sle15-sp3/sp4 (ironically because of another security
> release). This is the reason why ldb is bundled with samba on sle12-sp5. So,
> the issue here is that is most likely it is not trivial to backport the ldb
> fixes from ldb2.x to ldb1.x

Are you aware if SUSE:SLE-12-SP5:Update/ldb is used by packages other than samba? In case it is there only for samba, wouldn't make sense to version bump it to align with other codestreams setup and start using that one instead of the bundle one?
Comment 21 Noel Power 2022-08-24 12:06:58 UTC
(In reply to Gianluca Gabrielli from comment #20)
> (In reply to Noel Power from comment #19)
> > (In reply to Gianluca Gabrielli from comment #18)
> > > (In reply to Noel Power from comment #17)
> > > > SLE12-SP5 is additionally even more special because samba is built with a
> > > > bundled version of ldb
> > > 
> > > Maybe you don't care about SUSE:SLE-12-SP5:Update/ldb because on SLE12-SP5
> > > samba uses a bundled version ldb?
> > no its not we don't care about it, just at the time (under pressure with a
> > sec release) it wasn't high on the priority list because it wasn't strictly
> > necessary. More importantly the ldb version on sle12-sp5 is an older series
> > than 'say' sle15-sp3/sp4 and there was some problems (that I can't recall
> > exactly) why we did not bump the ldb version when we aligned the sle12-sp5
> > samba version with sle15-sp3/sp4 (ironically because of another security
> > release). This is the reason why ldb is bundled with samba on sle12-sp5. So,
> > the issue here is that is most likely it is not trivial to backport the ldb
> > fixes from ldb2.x to ldb1.x
> 
> Are you aware if SUSE:SLE-12-SP5:Update/ldb is used by packages other than
> samba?
not in particular but there are python2 bindings (which are supported packages) provided by ldb1 (which were removed in ldb2 and not supported at in the later versions of sle15 where the samba versions match. Note: the later versions  require the newer version of ldb (ldb2) This is one of the main reasons why samba needs instead to use the bundled version of ldb
> In case it is there only for samba, wouldn't make sense to version
> bump it to align with other codestreams setup and start using that one
> instead of the bundle one?
no, see above
Comment 22 Gianluca Gabrielli 2022-08-24 15:20:04 UTC
just to recap, 

 - SUSE:SLE-12-SP5:Update/ldb is ldb1
 - SUSE:SLE-12-SP5:Update/samba uses the ldb bundled version which is ldb2.

as ldb1 is not affected I can flag SUSE:SLE-12-SP5:Update/ldb as not affected.

 - SUSE:SLE-12-SP5:Update/samba has already been released and it include the patches for both samba and ldb2.

While the following packages are all affected, but we are not going to submit any patch due to the fact that they implement AD domain controller only as a tech preview.

 - SUSE:SLE-15-SP1:Update/samba, SUSE:SLE-15-SP1:Update/ldb 
 - SUSE:SLE-15-SP2:Update/samba, SUSE:SLE-15-SP2:Update/ldb


Is my statement correct?
Comment 23 Noel Power 2022-08-25 08:58:31 UTC
(In reply to Gianluca Gabrielli from comment #22)
> just to recap, 
> 
>  - SUSE:SLE-12-SP5:Update/ldb is ldb1
>  - SUSE:SLE-12-SP5:Update/samba uses the ldb bundled version which is ldb2.
> 
> as ldb1 is not affected I can flag SUSE:SLE-12-SP5:Update/ldb as not
> affected.
> 
>  - SUSE:SLE-12-SP5:Update/samba has already been released and it include the
> patches for both samba and ldb2.
> 
> While the following packages are all affected, but we are not going to
> submit any patch due to the fact that they implement AD domain controller
> only as a tech preview.
> 
>  - SUSE:SLE-15-SP1:Update/samba, SUSE:SLE-15-SP1:Update/ldb 
>  - SUSE:SLE-15-SP2:Update/samba, SUSE:SLE-15-SP2:Update/ldb
> 
> 
> Is my statement correct?

unfortunately it appears I made a mistake here when preparing the changelog, I got confused by both the similar numbers CVE-2022-32745, CVE-2022-32746, CVE-2022-32747 (with 32744 being wrong) and the fact all the SUSE bugs in question mention ldb in the bug summary. Your statement above is true for CVE-2022-32746 the only one actually affecting ldb. I'm afraid I have made things very confusing
Comment 26 Swamp Workflow Management 2022-09-01 15:09:25 UTC
SUSE-SU-2022:2586-2: An update that solves 5 vulnerabilities and has 6 fixes is now available.

Category: security (important)
Bug References: 1196224,1198255,1199247,1199734,1200556,1200964,1201490,1201492,1201493,1201495,1201496
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    ldb-2.4.3-150300.3.20.1, samba-4.15.8+git.500.d5910280cc7-150300.3.37.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Thomas Leroy 2022-09-06 10:02:12 UTC
Agreed for setting 15sp1 and 15sp2 as wontfix.
Everything done, closing