Bug 15262 (CVE-2022-38042) - [SECURITY] Samba should no longer reuse a machine account
Summary: [SECURITY] Samba should no longer reuse a machine account
Status: NEW
Alias: CVE-2022-38042
Product: Samba 4.1 and newer
Classification: Unclassified
Component: Tools (show other bugs)
Version: 4.17.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Blocks: 15244
  Show dependency treegraph
Reported: 2022-12-13 08:20 UTC by Andrew Bartlett
Modified: 2022-12-22 06:57 UTC (History)
3 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-12-13 08:20:42 UTC
Windows has stopped reusing machine accounts in October 2022 per https://twitter.com/brdpoker/status/1579962197362769921 and https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

Samba should do the same.  A user who owns an account is very powerful over that account, so is is not safe to attempt to reset an existing account.
Comment 2 Andrew Bartlett 2022-12-13 08:33:20 UTC
CVE-2022-38042 is the Microsoft CVE for this issue.  As this is the same protocol the same CVE applies.

The MS-given CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H looks reasonable.
Comment 3 Andrew Bartlett 2022-12-13 18:43:53 UTC
(In reply to Andrew Bartlett from comment #2)
The MS CVSS3.1 score calculates to 7.1 (HIGH)