Inadequate Encryption Strength Affecting samba package, versions <2:4.16.0+dfsg-2


Severity

Recommended
0.0
critical
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
0.15% (53rd percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Inadequate Encryption Strength vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-DEBIAN12-SAMBA-3173556
  • published16 Dec 2022
  • disclosed6 Mar 2023

Introduced: 16 Dec 2022

CVE-2022-45141  (opens in a new tab)
CWE-326  (opens in a new tab)

How to fix?

Upgrade Debian:12 samba to version 2:4.16.0+dfsg-2 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream samba package and not the samba package as distributed by Debian. See How to fix? for Debian:12 relevant fixed versions and status.

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).

CVSS Scores

version 3.1