New MS Patch for AD (CVE-2022-38023) and Samba

[JasonL]

I have a 45Drives Storinator in production at an office that runs TrueNAS 12.0 U8.1, it was upgraded from 11.0 Release and there is discussion to further upgrade to 13.0 U4 or beyond.

The problem we just found out is that Microsoft is patching RPC authentication to stop RPC Signing and only allow RPC Sealing, CVE-2022-38023. Multiple of our other NAS vendors have been jumping on this as this a huge change.

Also, Samba released this statement, https://www.samba.org/samba/security/CVE-2022-38023.html, and these versions, Samba 4.15.13, 4.16.8 and 4.17.4, and later are patched to fix this issue.

I have only seen that TrueNAS 13.0 U3 updated to and fixed below.
NAS-118437 Update net/samba to Samba 4.15.10

I do want to say up front, I don't control patching scheduling and our security office isn't going to hold off for one NAS in one of our locations. We are just hoping this is on TrueNAS's radar to get fixed soon. I have searched for the CVE, the samba version, and multiple other ways of writing this out and have not seen any posts or bugs as of yet. My google-fu may be failing in this regard.

Thanks

 

[JasonL]

I did find this issue in TrueNAS's bug tracking site, https://ixsystems.atlassian.net/browse/NAS-119406.

The only thing is it shows as done/closed. I'm not sure what that means as it hasn't been released and not sure if there is any further info as to what release it is expected to be in or a possible time frame.

 

[HoneyBadger]

Morning @JasonL ,

CORE 13.0-U4 is on 4.15.13:

Code:

root@core01[~]# smbstatus | grep version
Samba version 4.15.13

SCALE 22.12.1 is on 4.17.4

Code:

admin@bluefin01[~]$ sudo smbstatus | grep version
[sudo] password for admin:

Samba version 4.17.4

I don't have the PR tags handy to see when exactly they were merged, my apologies - Edit: for CORE, it looks like 13.0-U4 is when the fixed revision was included, so that would be your target to upgrade to.

 

[sretalla]

13.0 U4 has version 4.15.13

[NAS-119406] - iXsystems TrueNAS Jira

ixsystems.atlassian.net

 

[sretalla]

The only thing is it shows as done/closed. I'm not sure what that means as it hasn't been released and not sure if there is any further info as to what release it is expected to be in or a possible time frame.

You can see it in the top right of that page under "Fix Versions".

 

[JasonL]

Thank you both @sretalla and @HoneyBadger. This is good info.

It seems odd that U4 release notes neither calls out this bugfix number nor the samba version. I do have a home TrueNAS Core on 13.0 U4 and it does have the same samba version as you denoted @HoneyBadger.

I at least have a path forward to ready for the MS patch now. Thanks again.