===================================================================== CERT-Renater Note d'Information No. 2022/VULN432 _____________________________________________________________________ DATE : 24/11/2022 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.15.12, 4.16.7, 4.17.3. ===================================================================== https://www.samba.org/samba/security/CVE-2022-42898.html _____________________________________________________________________ CVE-2022-42898.html: =========================================================== == Subject: Samba buffer overflow vulnerabilities on 32-bit == systems == == CVE ID#: CVE-2022-42898 == == Versions: All versions of Samba prior to 4.15.12, 4.16.7, 4.17.3 == == Summary: Samba's Kerberos libraries and AD DC failed to guard == against integer overflows when parsing a PAC on a 32-bit == system, which allowed an attacker with a forged PAC to == corrupt the heap. =========================================================== =========== Description =========== The Kerberos libraries used by Samba provide a mechanism for authenticating a user or service by means of tickets that can contain Privilege Attribute Certificates (PACs). Both the Heimdal and MIT Kerberos libraries, and so the embedded Heimdal shipped by Samba suffer from an integer multiplication overflow when calculating how many bytes to allocate for a buffer for the parsed PAC. On a 32-bit system an overflow allows placement of 16-byte chunks of entirely attacker- controlled data. (Because the user's control over this calculation is limited to an unsigned 32-bit value, 64-bit systems are not impacted). The server most vulnerable is the KDC, as it will parse an attacker-controlled PAC in the S4U2Proxy handler. The secondary risk is to Kerberos-enabled file server installations in a non-AD realm. A non-AD Heimdal KDC controlling such a realm may pass on an attacker-controlled PAC within the service ticket. ================== Patch Availability ================== Patches addressing these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.12, 4.16.7, and 4.17.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4) ========================== Workaround and mitigations ========================== * No workaround on 32-bit systems as an AD DC * file servers are only impacted if in a non-AD domain * 64-bit systems are not exploitable. ======= Credits ======= Originally reported by Greg Hudson with the aid of oss-fuzz. Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of Catlyst and the Samba team. Advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the Samba Team based on text and analysis by Greg Hudson. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================