Authentication Bypass by Spoofing
CVE-2022-32744
Summary
A flaw was found in Samba. The KDC accepts kpasswd requests encrypted with any key known to it. By encrypting forged kpasswd requests with its own key, a user can change other users' passwords, enabling full domain takeover. This issue affects versions 4.3.x prior to 4.14.14, 4.15.x prior to 4.15.9, and 4.16.x prior to 4.16.4.
- LOW
- NETWORK
- HIGH
- UNCHANGED
- NONE
- LOW
- HIGH
- HIGH
CWE-290 - Authentication Bypass by Spoofing
This attack-focused weakness is caused by improperly implemented authentication schemes that are subject to spoofing attacks.
Advisory Timeline
- Published