Opened 22 months ago

Closed 22 months ago

Last modified 22 months ago

#17316 closed enhancement (fixed)

samba-4.17.3

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 11.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (3)

comment:1 by Douglas R. Reno, 22 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Same CVE as krb5

CVE-2022-42898.html:

===========================================================
== Subject:     Samba buffer overflow vulnerabilities on 32-bit
==              systems
==
== CVE ID#:     CVE-2022-42898
==
== Versions:    All versions of Samba prior to 4.15.12, 4.16.7, 4.17.3
==
== Summary:     Samba's Kerberos libraries and AD DC failed to guard
==              against integer overflows when parsing a PAC on a 32-bit
==              system, which allowed an attacker with a forged PAC to
==              corrupt the heap.
===========================================================

===========
Description
===========

The Kerberos libraries used by Samba provide a mechanism for
authenticating a user or service by means of tickets that can contain
Privilege Attribute Certificates (PACs).

Both the Heimdal and MIT Kerberos libraries, and so the embedded
Heimdal shipped by Samba suffer from an integer multiplication
overflow when calculating how many bytes to allocate for a buffer for
the parsed PAC.

On a 32-bit system an overflow allows placement of 16-byte chunks of
entirely attacker- controlled data.

(Because the user's control over this calculation is limited to an
unsigned 32-bit value, 64-bit systems are not impacted).

The server most vulnerable is the  KDC, as it will parse an
attacker-controlled PAC in the S4U2Proxy handler.

The secondary risk is to Kerberos-enabled file server installations in
a non-AD realm.  A non-AD Heimdal KDC controlling such a realm may
pass on an attacker-controlled PAC within the service ticket.

==================
Patch Availability
==================

Patches addressing these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.12, 4.16.7, and 4.17.3 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4)

==========================
Workaround and mitigations
==========================

* No workaround on 32-bit systems as an AD DC
* file servers are only impacted if in a non-AD domain
* 64-bit systems are not exploitable.

comment:2 by Douglas R. Reno, 22 months ago

Priority: normalelevated
Resolution: fixed
Status: assignedclosed

comment:3 by Douglas R. Reno, 22 months ago

Issued SA-11.2-045

Note: See TracTickets for help on using tickets.