Login Sign Up

CVE-2022-45141

9.8 CRITICAL

📋 TL;DR

This vulnerability affects Samba Active Directory Domain Controllers that issue RC4-HMAC encrypted Kerberos tickets even when stronger encryption is available. Attackers can exploit this to perform privilege escalation attacks. Systems running vulnerable Samba AD DC versions are affected.

💻 Affected Systems

Products:
  • Samba
Versions: All versions before 4.17.4, 4.16.8, and 4.15.13
Operating Systems: Linux/Unix systems running Samba AD DC
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Samba when configured as an Active Directory Domain Controller. Standalone file servers are not affected.

📦 What is this software?

Samba by Samba

View all CVEs affecting Samba →

Samba by Samba

View all CVEs affecting Samba →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full domain compromise allowing attackers to gain administrative privileges, access sensitive data, and control all domain resources.

🟠

Likely Case

Privilege escalation enabling attackers to impersonate users, access unauthorized resources, and potentially move laterally within the network.

🟢

If Mitigated

Limited impact with proper network segmentation, monitoring, and strong authentication controls in place.

🌐 Internet-Facing: LOW (Samba AD DCs should not be directly internet-facing)
🏢 Internal Only: HIGH (Internal attackers or compromised accounts can exploit this for privilege escalation)

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: MEDIUM

Exploitation requires existing domain credentials but can be performed by any authenticated user to escalate privileges.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Samba 4.17.4, 4.16.8, and 4.15.13

Vendor Advisory: https://www.samba.org/samba/security/CVE-2022-45141.html

Restart Required: Yes

Instructions:

1. Backup your Samba configuration and data. 2. Stop Samba services. 3. Update Samba to patched version using your distribution's package manager. 4. Restart Samba services. 5. Verify the update was successful.

🔧 Temporary Workarounds

Disable RC4-HMAC encryption

linux

Configure Samba to not use RC4-HMAC encryption by modifying krb5.conf

Edit /etc/krb5.conf and set default_tgs_enctypes and default_tkt_enctypes to exclude rc4-hmac

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Samba AD DCs
  • Enhance monitoring for Kerberos ticket requests and privilege escalation attempts

🔍 How to Verify

Check if Vulnerable:

Check Samba version with 'samba --version' and compare against affected versions

Check Version:

samba --version

Verify Fix Applied:

Verify Samba version is 4.17.4, 4.16.8, 4.15.13 or later, and test Kerberos ticket issuance

📡 Detection & Monitoring

Log Indicators:

  • Unusual Kerberos ticket requests, RC4-HMAC encryption usage in Samba logs
  • Multiple failed authentication attempts followed by successful privilege escalation

Network Indicators:

  • RC4-HMAC encrypted Kerberos tickets in network traffic
  • Unusual Kerberos AS-REQ or TGS-REQ patterns

SIEM Query:

source="samba" AND ("rc4-hmac" OR "CVE-2022-45141")

📊 Metadata

CVE ID: CVE-2022-45141
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-328
Published: March 6, 2023
Last Updated: March 6, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-45141, you might also want to check these:

CVE-2025-27595 9.8

This vulnerability allows attackers to easily calculate matching passwords due to weak hashing algor...

Same vulnerability type (CWE-328)
CVE-2023-46233 9.1

CVE-2023-46233 is a critical cryptographic weakness in crypto-js library where PBKDF2 defaults to in...

Same vulnerability type (CWE-328)
CVE-2023-43635 8.8

This vulnerability in EVE OS's measured boot mechanism allows attackers to bypass TPM-based encrypti...

Same vulnerability type (CWE-328)