CVE-2022-0336 Overview
CVE-2022-0336 is an Insecure Permissions vulnerability affecting the Samba Active Directory Domain Controller (AD DC). The Samba AD DC implements security checks when adding Service Principal Names (SPNs) to accounts to prevent SPN aliasing with existing entries in the database. However, these validation checks can be bypassed when an account modification re-adds an SPN that was previously associated with that account, such as one automatically added when a computer joins a domain.
An attacker with write access to an account can exploit this bypass to add an SPN matching an existing service, enabling denial-of-service attacks. More critically, an attacker capable of intercepting network traffic can impersonate legitimate services, leading to loss of confidentiality and integrity across the domain environment.
Critical Impact
Attackers with account write privileges can bypass SPN validation checks to impersonate existing services or cause denial of service, compromising domain authentication integrity.
Affected Products
- Samba Samba (multiple versions)
- Fedora 34
- Fedora 35
Discovery Timeline
- 2022-08-29 - CVE-2022-0336 published to NVD
- 2024-11-21 - Last updated in NVD database
Technical Details for CVE-2022-0336
Vulnerability Analysis
This vulnerability resides in the Samba AD DC's SPN uniqueness validation logic. When a new SPN is added to an account, Samba performs checks to ensure it doesn't conflict with SPNs already registered in the directory database. This protection mechanism prevents SPN collision attacks where an attacker could register an SPN belonging to another service.
The flaw occurs because the validation routine treats SPN re-additions differently than new additions. If an SPN was previously associated with an account (for example, during domain join operations), re-adding that same SPN bypasses the uniqueness checks entirely. This creates a window where an attacker can register SPNs that alias with legitimate services.
The vulnerability is classified under CWE-276 (Incorrect Default Permissions), as the permissive handling of SPN re-additions effectively grants unauthorized service impersonation capabilities.
Root Cause
The root cause lies in the samldb LDB module within source4/dsdb/samdb/ldb_modules/samldb.c. When processing SPN additions, the code checks if an SPN is being re-added to the same object and returns early with LDB_SUCCESS without completing all necessary validation checks. This premature return allows the SPN modification to succeed without verifying whether the SPN conflicts with other services in the domain.
Attack Vector
The attack requires network access and low-privilege authenticated access to modify account attributes. An attacker who has obtained write permissions to any account object (through delegation, compromised credentials, or misconfigured ACLs) can:
- Identify target SPNs belonging to critical services (e.g., HTTP, LDAP, SQL services)
- Exploit the re-addition bypass to register conflicting SPNs on a controlled account
- Intercept Kerberos authentication requests intended for the legitimate service
- Impersonate the service to connecting clients, capturing credentials or manipulating data
// Vulnerable code - early return bypassed validation
// Source: https://github.com/samba-team/samba/commit/1a5dc817c0c9379bbaab14c676681b42b0039a3c
ac->msg->dn);
if (ret == LDB_ERR_COMPARE_TRUE) {
DBG_INFO("SPN %s re-added to the same object\n", spn);
- talloc_free(tmp_ctx);
- return LDB_SUCCESS;
+ continue;
}
if (ret != LDB_SUCCESS) {
DBG_ERR("SPN %s failed direct uniqueness check\n", spn);
Source: Samba GitHub Commit
Detection Methods for CVE-2022-0336
Indicators of Compromise
- Unexpected SPN registrations on computer or user accounts that duplicate existing service SPNs
- Multiple accounts with identical or aliased SPNs in the directory database
- Kerberos authentication failures for services that previously functioned correctly
- Audit logs showing SPN modifications from unusual source accounts or IP addresses
Detection Strategies
- Query Active Directory for duplicate SPNs using setspn -X or equivalent LDAP queries to identify aliasing conditions
- Monitor directory modification events (Event ID 4662, 5136) for servicePrincipalName attribute changes
- Implement alerting for SPN modifications on sensitive service accounts or computer objects
- Correlate Kerberos ticket-granting failures with recent SPN changes to identify exploitation attempts
Monitoring Recommendations
- Deploy real-time monitoring on AD DC logs for attribute modification events targeting SPNs
- Establish baseline of legitimate SPNs and alert on deviations or duplications
- Monitor for Kerberos authentication anomalies such as unexpected service ticket requests or failures
How to Mitigate CVE-2022-0336
Immediate Actions Required
- Update Samba to a patched version immediately on all AD DC deployments
- Audit current SPN registrations across the domain using setspn -X or LDAP queries to identify existing conflicts
- Review and restrict account modification permissions, particularly Validated write to service principal name rights
- Enable enhanced directory change auditing to track SPN modifications
Patch Information
Samba has released security patches addressing this vulnerability. The fix modifies the samldb module to continue validation checks even when an SPN is being re-added to an account, rather than returning early. Apply the latest security updates from your distribution or compile from patched source.
For detailed patch information, refer to:
Workarounds
- Restrict write permissions to the servicePrincipalName attribute through granular ACL modifications on account objects
- Implement application-layer monitoring to detect and alert on SPN modifications in real-time
- Segment network access to AD DCs to limit potential attacker positioning for traffic interception
- Enable Kerberos armoring (FAST) where supported to add protection against credential interception
# Configuration example
# Audit current SPNs for duplicates (run on domain controller)
setspn -X
# Review SPN registrations for a specific account
setspn -L <account_name>
# Check Samba version for patch status
samba --version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
