CVE-2020-14318

The SMB1/2/3 protocols incorporate the “ChangeNotify” concept. With this structure, the client requests file name to be reported in the event of “creating a new file” or “file size change” or “file timestamp update” within a directory.

To send a ChangeNotify request, missing permissions shall be checked in directory administration. With these permissions, the client should get the change information response from the server using only FILE_READ_ATTRIBUTES (minimum access) authority. The information containing these responses should not be just in the FILE_READ_ATTRIBUTE form to access directories.

CVE-2020-14323

Winbind 3.6 and later versions have the ability to convert multiple SIDs into names in RPC calls. This feature has been added to improve performance.

Facts: As the active directory administrator, multiple SIDs can be renamed over a single RPC call. Naturally, Samba provides plug-ins that perform these automated actions with a unix directory socket through winbind. This reduces network packets in directory services, resulting in faster directory service. Because proper input control is not done, manually modified packets and winbind operations can be stopped and possible with NULL pointer assignment.

CVE-2020-14383

Some DNS records (such as MX and NS) may contain some additional information. Samba dns server RPC pipes (only managed, not for the DNS service itself) contain controllers for situations that can cause the RPC server to fail, such as missing/erroneous records, untuned memory. The RPC server also provides services for non-dns service protocols. When this service restarts, there is a short wait. Although the Samba service continues to run as a result of an attack in that time by a user who has already performed RPC server authentication and is not entitled to administrator rights, many RPC services will not work.