CVE-2021-20316 : samba - symlink race condition

Versions Affected : All versions prior to TrueNAS Core 13.0.

Versions Not Affected : TrueNAS SCALE is not vulnerable.

Description

All versions of Samba prior to 4.15.0 are vulnerable to a malicious client using an SMB1 or NFS symlink race to allow filesystem metadata to be accessed in an area of the server file system not exported under the share definition. Note that SMB1 has to be enabled, or the share also available via NFS in order for this attack to succeed.

CVE-2020-25717 : samba - AD Domain user Privledge escalation

Versions Affected : All versions prior to TrueNAS 12.0-U6.1 and SCALE 22.02-RC.1-2

Description

Samba will attempt to find a user “DOMAIN\user” before falling back to trying to find the user “user”. If the DOMAIN\user lookup can be made to fail, then a privilege escalation is possible.

CVE-2020-23192 : samba - Subsequent DCE/RPC fragment injection vulnerability

Versions Affected : All versions prior to TrueNAS 12.0-U6.1 and SCALE 22.02-RC.1-2

Description

If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassing the signature requirements.

CVE-2020-2124 : samba - SMB1 client connections can be downgraded to plaintext authentication

Versions Affected : All versions prior to SCALE 22.02-RC.1-2

Description

A man in the middle attack can force the client side SMB1 code to fall-back to plaintext or NTLM based authentication even if Kerberos authentication was requested by the user or application.

CVE-2021-20254 : samba - negative idmap cache

Versions Affected : All versions prior to TrueNAS 12.0-U3.1

Description

Negative idmap cache entries can cause incorrect group entries in the Samba file server process token.

CVE-2020-15078 : openvpn - authentication bypass

Versions Affected : All versions prior to TrueNAS 12.0-U3.1

Description

OpenVPN 2.5.1 and earlier versions allows a remote attackers to bypass authentication and access control channel data on servers configured with deferred authentication, which can be used to potentially trigger further information leaks.

CVE-2021-3156 : sudo - Heap-based Buffer Overflow

Versions Affected : All versions prior to TrueNAS 12.0-U2 Description A serious heap-based buffer overflow has been discovered in sudo that is exploitable by any local user. It has been given the name Baron Samedit by its discoverer. The bug can be leveraged to elevate privileges to root, even if the user is not listed in the sudoers file. User authentication is not required to exploit the bug.

CVE-2020-24717 : Insecure Permissions

Versions Affected : TrueNAS 12.0-BETA1 and 12.0-BETA2 Description OpenZFS before 2.0.0-rc1, when used on FreeBSD, misinterprets group permissions as user permissions, as demonstrated by mode 0770 being equivalent to mode 0777 Workaround No workaround is available. Mitigation Upgrade to 12.0-BETA2.1 or later Commit Jira Ticket Github Commit Ports Commit Further information NIST CVE-2020-24717 Entry

CVE-2020-24716 : Insecure Permissions

Versions Affected : TrueNAS 12.0-BETA1 and 12.0-BETA2 Description OpenZFS before 2.0.0-rc1, when used on FreeBSD, allows execute permissions for all directories. Workaround No workaround is available. Mitigation Upgrade to 12.0-BETA2.1 or later Commit Jira Ticket Github Commit Ports Commit Further information NIST CVE-2020-24716 Entry

CVE-2020-11650 : Login DOS

Versions Affected : All verisons prior to FreeNAS/TrueNAS 11.2-u8 Description An issue was discovered in iXsystems FreeNAS (and TrueNAS) 11.2 before 11.2-u8 and 11.3 before 11.3-u1. It allows a denial of service. The login authentication component has no limits on the length of an authentication message or the rate at which such messages are sent. Workaround No workaround is available. Mitigation Upgrade to FreeNAS/TrueNAS 11.

CVE-2019-14907 : Samba Log Level

Versions Affected : All verisons prior to FreeNAS/TrueNAS 11.2-U8

Description

All samba versions 4.9.x before 4.9.18, 4.10.x before 4.10.12 and 4.11.x before 4.11.5 have an issue where if it is set with “log level = 3” (or above) then the string obtained from the client, after a failed character conversion, is printed.

CVE-2019-14870 : Samba AD DNS DoS

Versions Affected : All versions prior to FreeNAS 11.2-U8

Description

All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable.

CVE-2019-14861 : Samba AD DNS DoS

Versions Affected : All versions prior to FreeNAS 11.2-U8

Description

An authenticated user can crash the DCE/RPC DNS management server by creating records matching the zone name in different case spelling.

CVE-2019-10197 : Samba Config

Versions Affected : All versions prior to FreeNAS 11.2-U6

Description

A flaw was found in samba versions 4.9.x up to 4.9.13, samba 4.10.x up to 4.10.8 and samba 4.11.x up to 4.11.0rc3, when certain parameters were set in the samba configuration file.

CVE-2019-3880 : Samba RPC Endpoint Emulation

Versions Affected : All versions prior to FreeNAS 11.2-U4

Description

A flaw was found in the way samba implemented an RPC endpoint emulating the Windows registry service API.