Headline
CVE-2022-3437: Samba - Security Announcement Archive
A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.
CVE-2022-3437.html:
=========================================================== == Subject: Buffer overflow in Heimdal unwrap_des3() == == CVE ID#: CVE-2022-3437 == == Versions: All versions of Samba since Samba 4.0 compiled == with Heimdal Kerberos == == Summary: There is a limited write heap buffer overflow == in the GSSAPI unwrap_des() and unwrap_des3() == routines of Heimdal (included in Samba). ===========================================================
=========== Description ===========
The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet.
Examples of where Samba can use GSSAPI include the client and fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and LDAP in the Active Directory Domain Controller.
However not all Samba installations are impacted! Samba is often compiled to use the system MIT Kerberos using the –with-system-mitkrb5 argument and these installations are not impacted, as the vulnerable code is not compiled into Samba.
However when, as is the default, Samba is compiled to use the internal Heimdal Kerberos library the vulnerable unwrap_des3() is used.
(The single-DES use case, along with the equally vulnerable unwrap_des() is only compiled into Samba 4.11 and earlier).
The primary use of Samba’s internal Heimdal is for the Samba AD DC, but this vulnerability does impact fileserver deployments built with the default build options.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)
========== Workaround ==========
Compiling Samba with --with-system-mitkrb5 will avoid this issue.
======= Credits =======
Originally reported by Evgeny Legerov of Intevydis.
Patches provided by Joseph Sutton of Catalyst and the Samba Team, advisory written by Andrew Bartlett of Catalyst and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.
The fix for CVE-2022-3437 included changing memcmp to be constant time and a workaround for a compiler bug by adding "!= 0" comparisons to the result of memcmp. When these patches were backported to the heimdal-7.7.1 and heimdal-7.8.0 branches (and possibly other branches) a logic inversion sneaked in causing the validation of message integrity codes in gssapi/arcfour to be inverted.
Debian Linux Security Advisory 5344-1 - Helmut Grohne discovered a flaw in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos. The backports of fixes for CVE-2022-3437 accidentally inverted important memory comparisons in the arcfour-hmac-md5 and rc4-hmac integrity check handlers for gssapi, resulting in incorrect validation of message integrity codes.
Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.
Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.
Ubuntu Security Notice 5800-1 - It was discovered that Heimdal incorrectly handled certain SPNEGO tokens. A remote attacker could possibly use this issue to cause a denial of service. Evgeny Legerov discovered that Heimdal incorrectly handled memory when performing certain DES decryption operations. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]
Debian Linux Security Advisory 5287-1 - Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos.
A memory corruption issue existed in the processing of ICC profiles. This issue was addressed with improved input validation. This issue is fixed in macOS Ventura 13. Processing a maliciously crafted image may lead to arbitrary code execution.