Security News > 2022 > July > Critical Samba bug could let anyone become Domain Admin – patch now!
Samba is a widely-used open source toolkit that not only makes it easy for Linux and Unix computers to talk to Windows networks, but also lets you host a Windows-style Active Directory domain without Windows servers at all.
Anyone with a long enough memory will recall, probably without a tremendous amount of affection, hooking up OS/2 computers to share files using SMB over NetBIOS. Samba started life in the early 1990s thanks to the hard work of Australian open source pioneer Andrew Tridgell, who figured out from first principles how SMB worked so that he could implement a compatible version for Unix while he was busy with his PhD at the Australian National University.
SMB turned into CIFS, the Common Internet File System, when it was made public by Microsoft in 1996, and has since spawned SMB 2 and SMB 3, which are still proprietary network protocols, but with specifications that are officially published so that tools such as Samba no longer have to rely on reverse engineering and guesswork to provide compatible implementations.
Samba just got updated to fix a number of security vulnerabilities, including a critical bug related to password resets.
As detailed in the latest Samba release notes, there are six CVE-numbered bugs patched, including these five.
If you use a Linux or BSD distro that provides Samba as an installable package, you should already have an update via your distro's package manager; for network devices such as NAS boxes, check with your vendor for details.