8 Vulnerabilities in Samba Can be Exploited to Target Active Directory Domains

CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a Russian cybercrime forum frequented by Ransomware groups, regarding eight vulnerabilities targeting Samba packages affecting Active Directory domains.
Updated on
April 19, 2023
Published on
November 23, 2021
Subscribe to the latest industry news, threats and resources.
Category Vulnerability Intelligence
Affected Industries Multiple
Affected Region Global
Source* A2
Reference *https://en.wikipedia.org/wiki/Intelligence_source_and_information_reliability #https://en.wikipedia.org/wiki/Traffic_Light_Protocol

Executive Summary

  • CloudSEK’s flagship digital risk monitoring platform XVigil discovered a post, on a Russian cybercrime forum frequented by Ransomware groups, regarding eight vulnerabilities targeting Samba packages affecting Active Directory domains.
  • Samba is an open-source Server Message Block (SMB) protocol implementation. It enables Linux to function as a server and a client with the Windows operating system.
  • The actor has provided information on the vulnerabilities, now recognized as CVEs, along with their potential impacts. 
  • Threat actors can exploit this vulnerability to conduct various attacks, including, but not limited to, information compromise, privilege escalation and identifying the infrastructure of systems.
[caption id="attachment_18241" align="aligncenter" width="1239"]Threat actor’s post on the cybercrime forum Threat actor’s post on the cybercrime forum[/caption]  

Analysis and Attribution

Information from the Post

  • On 10 November 2021, a threat actor published a post, on a cybercrime forum, claiming that Active Directories can be exploited using 8 vulnerabilities in the Samba package. 
  • These vulnerabilities are now fixed, however, attackers could be scanning for unpatched instances to target. 
The 8 vulnerabilities affect the following versions of Samba:
  • 4.15.2
  • 4.14.10
  • 4.13.14
Following is a list of patched vulnerabilities, along with their descriptions, as stated by the actor:
  • CVE-2020-25717: An Active Directory domain user with the capacity to create new accounts on their system, managed using ms-DS-MachineAccountQuota, could get root access to other domain systems due to a vulnerability in the logic of mapping domain users to local system users.
  • CVE-2021-3738: Access to an already freed memory area (Use after free) can potentially lead to privilege escalation when manipulating connection setup in the implementation of the Samba AD DC RPC server (dsdb).
  • CVE-2016-2124: Even if the user or application is configured with mandatory Kerberos authentication, client connections established via the SMB1 protocol could be transferred to the transmission of authentication parameters in clear text or via NTLM (for example, to determine credentials for MITM attacks).
  • CVE-2020-25722 Proper storage: On a Samba-based Active Directory domain controller, access checks were not performed, thus allowing any user to escape credentials and entirely corrupt the domain.
  • CVE-2020-25718 Kerberos tickets: The Samba-based Active Directory domain controller did not properly isolate administrator tickets issued by the RODC (Read-only domain controller) , which might be utilised to obtain administrator tickets from the RODC without having the authority to do so.
  • CVE-2020-25719: The Samba-based Active Directory domain controller did not always take into account the SID and PAC fields in Kerberos tickets in the bundle (when setting "gensec: require pac = true," only the name was checked, and PAC was ignored), thus allowing a user with the right to create accounts on the local system to impersonate another user in the domain, including a privileged one.
  • CVE-2020-25721: For Kerberos-authenticated users, unique identifiers for Active Directory (objectSid) were not always issued, which could lead to user intersections.
  • CVE-2021-23192:During the MITM attack, it was possible to spoof fragments in large DCE/ RPC requests that were split into several parts. 

Source Rating

  • The actor is very popular on the forum. 
  • The post shared by the actor has been verified from the official release from Samba (1).
  • The reliability of the actor can be rated Reliable (A).
  • The credibility of the advertisement can be rated Probably True (2).
  • Giving overall source credibility of A2



[caption id="attachment_18242" align="aligncenter" width="1249"]Official Release announcement from the website Official Release announcement from the website[/caption]

Get Global Threat Intelligence on Real Time

Protect your business from cyber threats with real-time global threat intelligence data.. 30-day free and No Commitment Trial.
Schedule a Demo
Real time Threat Intelligence Data
More information and context about Underground Chatter
On-Demand Research Services
Dashboard mockup
Global Threat Intelligence Feed

Protect and proceed with Actionable Intelligence

The Global Cyber Threat Intelligence Feed is an innovative platform that gathers information from various sources to help businesses and organizations stay ahead of potential cyber-attacks. This feed provides real-time updates on cyber threats, including malware, phishing scams, and other forms of cybercrime.
Trusted by 400+ Top organisations