Security News > 2022 > December > Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems.
The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022.
Samba is an open source Windows interoperability suite for Linux, Unix, and macOS operating systems that offers file server, printing, and Active Directory services.
It's worth noting that both CVE-2022-37966 and CVE-2022-37967, which enable an adversary to gain administrator privileges, were first disclosed by Microsoft as part of its November 2022 Patch Tuesday updates.
"An unauthenticated attacker could conduct an attack that could leverage cryptographic protocol vulnerabilities in RFC 4757 and MS-PAC to bypass security features in a Windows AD environment," the company said of CVE-2022-37966.
The patches also come as the U.S. Cybersecurity and Infrastructure Security Agency this week published 41 Industrial Control Systems advisories pertaining to various flaws impacting Siemens and Prosys OPC products.
News URL
https://thehackernews.com/2022/12/samba-issues-security-updates-to-patch.html
Related news
- Still Using an Older Version of iOS or iPadOS? Update Now to Patch These Critical Security Vulnerabilities (source)
- Zimbra Releases Security Updates for SQL Injection, Stored XSS, and SSRF Vulnerabilities (source)
- Google's March 2025 Android Security Update Fixes Two Actively Exploited Vulnerabilities (source)
- Patch Tuesday: Microsoft Fixes 57 Security Flaws – Including Active Zero-Days (source)
- April 2025 Patch Tuesday forecast: More AI security introduced by Microsoft (source)
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2023-03-06 | CVE-2022-45141 | Inadequate Encryption Strength vulnerability in Samba Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96). | 9.8 |
2022-11-09 | CVE-2022-38023 | Netlogon RPC Elevation of Privilege Vulnerability | 0.0 |
2022-11-09 | CVE-2022-37967 | Windows Kerberos Elevation of Privilege Vulnerability | 0.0 |
2022-11-09 | CVE-2022-37966 | Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability | 0.0 |