CVE-2022-0336: 
Kerberos vulnerability analysis and mitigation

CVE-2022-0336 affects Samba versions 4.0.0 and later, specifically impacting the Samba Active Directory Domain Controller (AD DC). The vulnerability allows users with permission to write to an account's servicePrincipalName attribute to impersonate arbitrary services. This security flaw was discovered when checks in the Samba AD DC to prevent aliased Service Principal Names (SPNs) could be bypassed (Samba Security).

The vulnerability stems from a logic flaw in the SPN uniqueness checking mechanism. When adding service principal names to an account, some checks could be bypassed if an account modification re-adds an SPN that was previously present on that account, such as one added when a computer is joined to a domain. The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) (Samba Security).

The vulnerability has two primary impacts. First, an attacker who has the ability to write to an account can perform a denial-of-service attack by adding an SPN that matches an existing service. Second, if an attacker can intercept traffic, they can impersonate existing services, resulting in a loss of confidentiality and integrity (Samba Security).

Patches addressing this vulnerability were released in Samba versions 4.13.17, 4.14.12, and 4.15.4. Samba administrators are advised to upgrade to these releases or apply the available patches as soon as possible. No workarounds are available for this vulnerability (Samba Security).