CVE-2022-32743: 
Samba vulnerability analysis and mitigation

Samba contains a vulnerability (CVE-2022-32743) where it does not validate the Validated-DNS-Host-Name right for the dNSHostName attribute, which could permit unprivileged users to write it. The vulnerability was discovered in September 2022 and affects Samba versions from 4.1.0 onwards (NVD, Samba Bugzilla).

The vulnerability stems from a failure to properly implement the Validated-DNS-Host-Name right validation, which should only apply to objects with class computer or server. According to Microsoft's specifications, the dNSHostName attribute should be in the format computerName.fullDomainDnsName, where computerName is the current sAMAccountName without the final '$' character (MS Documentation). The vulnerability has a CVSS v3.1 base score of 7.5 (HIGH) with a vector of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N (NVD).

The vulnerability allows unprivileged users to modify the dNSHostName attribute, which could potentially lead to DNS-related security issues. The dNSHostName suffix can be changed freely, which might affect systems that rely on this attribute for identification or authentication purposes (Samba Bugzilla).

The vulnerability has been fixed in newer versions of Samba. Users are advised to upgrade to patched versions. For Fedora users, updates were provided in version 4.17.0, and for Gentoo users, the fix is included in version 4.18.4 (Fedora Update, Gentoo Security).