===========================================================
== Subject:     Buffer overflow 
==
== CVE ID#:     
==
== Versions:    All versions of Samba since Samba 4.0 compiled
==              with Heimdal Kerberos
==
== Summary:     There is a limited write heap buffer overflow
==              in the GSSAPI unwrap_des() and unwrap_des3()
==              routines of Heimdal (included in Samba).
===========================================================

===========
Description
===========

The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.

Examples of where Samba can use GSSAPI include the client and
fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and
LDAP in the Active Directory Domain Controller.

However not all Samba installations are impacted!  Samba is often
compiled to use the system MIT Kerberos using the
--with-system-mitkrb5 argument and these installations are not
impacted, as the vulnerable code is not compiled into Samba.

However when, as is the default, Samba is compiled to use the internal
Heimdal Kerberos library the vulnerable unwrap_des3() is used.

(The single-DES use case, along with the equally vulnerable
unwrap_des() is only compiled into Samba 4.11 and earlier).

The primary use of Samba's internal Heimdal is for the Samba AD DC,
but this vulnerability does impact fileserver deployments built with
the default build options.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)

==========
Workaround
==========

Compiling Samba with --with-system-mitkrb5 will avoid this issue.

=======
Credits
=======

Originally reported by Evgeny Legerov of Intevydis.

Patches provided by Joseph Sutton of Catalyst and the Samba Team,
advisory written by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================