(408) 943-4100               V   Commercial Support

Versions Affected : All versions prior to TrueNAS 12.0-U6.1 and SCALE 22.02-RC.1-2


Description

Samba will attempt to find a user “DOMAIN\user” before falling back to trying to find the user “user”. If the DOMAIN\user lookup can be made to fail, then a privilege escalation is possible.

The easiest example to illustrate this is if an attacker creates an account named root (by renaming a MachineAccountQuota based machine account), and asks for a login without a Kerberos PAC. Between obtaining the ticket and presenting it to a server, the attacker renames the user account to a different name. Samba attempts to look up “DOMAIN\root”, which fails (as this no longer exists) and then falls back to looking up user “root”, which will map to the privileged UNIX uid of 0.

CVSS

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1)

Workaround

No workaround is available. However, systems that do not use Samba are not vulnerable.


Mitigation

  • Upgrade TrueNAS CORE/Enterprise to 12.0-U6.1 or later
  • Upgrade to TrueNAS SCALE 22.02-RC.1-2 or later

Commit

Further information