==================================================================== == Subject: Server memory information leak via SMB1 only. == == CVE ID#: CVE-2022-TBD == == Versions: All versions of Samba. == == Summary: SMB1 Client with write access to a share can cause == server memory contents to be written into a file == or printer. == ==================================================================== =========== Description =========== Please note that SMB1 is *NOT* enabled by default, only sites where SMB1 has been enabled by the administrator are vulnerable to this bug. All versions of Samba are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.16.x, 4.15.x and 4.14.x have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ================== CVSSv3.1 calculation ================== CVSS:AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:F/RL:O/RC:C/CR:M/IR:L/AR:L/MAV:N/MAC:H/MPR:L/MUI:N/MS:U/MC:X/MI:N/MA:N base score of 2.9 ========== Workaround ========== This is an SMB1-only vulnerability. Since Samba release 4.11.0 SMB1 has been disabled by default. Do not turn on SMB1 serving unless required for your specific clients. ======= Credits ======= This problem was reported by Luca Moro working with Trend Micro Zero Day Initiative. Jeremy Allison of Google and the Samba Team provided the fix.