15262 – (CVE-2022-38042) [SECURITY] Samba should no longer reuse a machine account

Bug 15262 (CVE-2022-38042) - [SECURITY] Samba should no longer reuse a machine account

Summary: [SECURITY] Samba should no longer reuse a machine account

Status:	NEW

Alias:	CVE-2022-38042

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.17.3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15244
	Show dependency tree / graph

Reported:	2022-12-13 08:20 UTC by Andrew Bartlett
Modified:	2022-12-22 06:57 UTC (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2022-12-13 08:20:42 UTC

Windows has stopped reusing machine accounts in October 2022 per https://twitter.com/brdpoker/status/1579962197362769921 and https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

Samba should do the same.  A user who owns an account is very powerful over that account, so is is not safe to attempt to reset an existing account.

Comment 2 Andrew Bartlett 2022-12-13 08:33:20 UTC

CVE-2022-38042 is the Microsoft CVE for this issue.  As this is the same protocol the same CVE applies.

The MS-given CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H looks reasonable.

Comment 3 Andrew Bartlett 2022-12-13 18:43:53 UTC

(In reply to Andrew Bartlett from comment #2)
The MS CVSS3.1 score calculates to 7.1 (HIGH)