As per upstream advisory: Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC request payloads are exchanged and fragmented into several pieces. If this happens over untrusted transports (e.g. directly over TCP/IP or anonymous SMB) clients will typically protect by an explicit authentication at the DCE/RPC layer, e.g. with GSSAPI/Kerberos/NTLMSSP or Netlogn Secure Channel. Because the checks on the fragment protection were not done between the policy controls on the header and the subsequent fragments, an attacker could replace subsequent fragments in requests with their own data, which might be able to alter the server behaviour.
Created samba tracking bugs for this issue: Affects: fedora-all [bug 2021715]
This issue has been addressed in the following products: Red Hat Gluster Storage 3.5 for RHEL 8 Via RHSA-2021:4843 https://access.redhat.com/errata/RHSA-2021:4843
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-23192
Upstream advisory: https://www.samba.org/samba/security/CVE-2021-23192.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:5082 https://access.redhat.com/errata/RHSA-2021:5082
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Extended Update Support Via RHSA-2022:0008 https://access.redhat.com/errata/RHSA-2022:0008