CVE-2023-0922: 
Samba vulnerability analysis and mitigation

The vulnerability (CVE-2023-0922) affects the Samba Active Directory (AD) DC administration tool in all versions of Samba since 4.0. The issue occurs when the tool operates against a remote LDAP server, where it sends new or reset passwords over a signed-only connection by default, potentially exposing sensitive password information (Samba Security).

The vulnerability stems from Samba's lack of encryption restriction when setting passwords over LDAP, unlike Microsoft's implementation which requires encrypted connections. When samba-tool connects using a Kerberos secured LDAP connection against a Samba AD DC, an attacker capable of observing network traffic could intercept newly set passwords. This specifically impacts connections made using Kerberos, as NTLM-protected connections are automatically upgraded to encryption. The vulnerability has been assigned a CVSS v3.1 score of 5.9 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (Samba Security).

If successfully exploited, this vulnerability could lead to the disclosure of sensitive password information when setting new passwords or adding new users. The impact is particularly significant for password reset operations and new user creation processes using the samba-tool against a remote LDAP server (Samba Security).

To mitigate this vulnerability, administrators should set 'client ldap sasl wrapping = seal' in the smb.conf file or add the --option=clientldapsaslwrapping=sign option to any samba-tool or ldbmodify invocation that sets a password. The patch changes all Samba AD LDAP client connections to use encryption by default by modifying the default value of 'client ldap sasl wrapping' to 'seal' in Samba's smb.conf (Samba Security).