===========================================================
== Subject:     Buffer overflow 
==
== CVE ID#:     
==
== Versions:    All versions of Samba since Samba 4.0 compiled
==              with Heimdal Kerberos
==
== Summary:     There is a limited write buffer overflow in
==              the GSSAPI unwrap_des() and unwrap_des3()
==              routines of Heimdal (included in Samba).
===========================================================

===========
Description
===========

The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a small buffer
overflow when presented with a maliciously small packet.

Examples of where Samba can use GSSAPI include the client and
fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and
LDAP in the Active Directory Domain Controller.

Not all Samba installations are impacted.  Samba can be compiled to
use the system (typically MIT) Kerberos using the
--with-system-mitkrb5 argument and these installations are not
impacted, as the vulnerable code is not compiled.

However when compiled to use the internal Heimdal Kerberos library
(the default), which provides this routine, Samba is vulnerable.

The primary use of Samba's internal Heimdal is for the Samba AD DC,
but this can impact fileserver deployments with the default build
options.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)

==========
Workaround
==========

Compiling Samba with --with-system-mitkrb5 will avoid this issue.

=======
Credits
=======

Originally reported by Evgeny Legerov of Intevydis

Patches provided by Joseph Sutton of Catalyst and the Samba Team,
advisory written by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================