===================================================================== CERT-Renater Note d'Information No. 2022/VULN400 _____________________________________________________________________ DATE : 25/10/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 9.15.13.0, 10.15.2.2, 10.20.1, 10.19.1. ===================================================================== https://www.samba.org/samba/security/CVE-2022-3437.html https://www.samba.org/samba/security/CVE-2022-3592.html _____________________________________________________________________ CVE-2022-3437.html: =========================================================== == Subject: Buffer overflow in Heimdal unwrap_des3() == == CVE ID#: CVE-2022-3437 == == Versions: All versions of Samba since Samba 4.0 compiled == with Heimdal Kerberos == == Summary: There is a limited write heap buffer overflow == in the GSSAPI unwrap_des() and unwrap_des3() == routines of Heimdal (included in Samba). =========================================================== =========== Description =========== The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. Examples of where Samba can use GSSAPI include the client and fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and LDAP in the Active Directory Domain Controller. However not all Samba installations are impacted! Samba is often compiled to use the system MIT Kerberos using the --with-system-mitkrb5 argument and these installations are not impacted, as the vulnerable code is not compiled into Samba. However when, as is the default, Samba is compiled to use the internal Heimdal Kerberos library the vulnerable unwrap_des3() is used. (The single-DES use case, along with the equally vulnerable unwrap_des() is only compiled into Samba 4.11 and earlier). The primary use of Samba's internal Heimdal is for the Samba AD DC, but this vulnerability does impact fileserver deployments built with the default build options. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9) ========== Workaround ========== Compiling Samba with --with-system-mitkrb5 will avoid this issue. ======= Credits ======= Originally reported by Evgeny Legerov of Intevydis. Patches provided by Joseph Sutton of Catalyst and the Samba Team, advisory written by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2022-3592.html: =========================================================== == Subject: Wide links protection broken == == CVE ID#: CVE-2022-3592 == == Versions: All versions of Samba since 4.17.0 == == Summary: A malicious client can use a symlink to escape == the exported directory =========================================================== =========== Description =========== Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd escape the configured share path. Clients that have write access to the exported part of the file system under a share via SMB1 unix extensions or NFS can create symlinks can use the vulnerability to get access to all of the server's file system. ================== Patch Availability ================== Patches addressing this issue has been posted to: https://www.samba.org/samba/security/ Samba 4.17.2 has been issued as a security releases to correct the defect. Samba administrators are advised to upgrade to this release as soon as possible. ================== CVSSv3.1 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ================================= Workaround and mitigating factors ================================= Do not enable SMB1 (please note SMB1 is disabled by default in Samba from version 4.11.0 and onwards). This prevents the creation of symbolic links via SMB1. If SMB1 must be enabled for backwards compatibility then add the parameter: unix extensions = no to the [global] section of your smb.conf and restart smbd. This prevents SMB1 clients from creating symlinks on the exported file system. However, if the same region of the file system is also exported using NFS, NFS clients can create symlinks that potentially can also hit the race condition. For non-patched versions of Samba we recommend only exporting areas of the file system by either SMB2 or NFS, not both. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================