The Samba-Bugzilla – Attachment 17622 Details for
Bug 15203
CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Samba advisory v1
CVE-2022-42898-advisory-v1.txt (text/plain), 2.96 KB, created by
Jo Sutton
on 2022-11-04 02:37:04 UTC
(
hide
)
Description:
Samba advisory v1
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-11-04 02:37:04 UTC
Size:
2.96 KB
patch
obsolete
>=========================================================== >== Subject: Samba buffer overflow vulnerabilities on 32-bit >== systems >== >== CVE ID#: CVE-2022-42898 >== >== Versions: All versions of Samba prior to 4.15.next, 4.16.next, 4.17.next >== >== Summary: Samba's Kerberos libraries failed to guard against >== integer overflows when parsing a PAC on a 32-bit >== system, which allowed an attacker with a forged PAC to >== corrupt the heap. >=========================================================== > >=========== >Description >=========== > >The Kerberos libraries used by Samba provide a mechanism for >authenticating a user or service by means of tickets that can contain >Privilege Attribute Certificates (PACs). Both the Heimdal and MIT >Kerberos libraries, when calculating how many bytes to allocate for a >buffer that was to receive a parsed PAC, failed to handle the case in >which the result overflowed. Because the user's control over this >calculation is limited to an unsigned 32-bit value, such an outcome >may be considered, if the calculation is performed in the ample >integer range of a 64-bit system, a practical impossibility. > >On a 32-bit system the situation is more grave. An overflow in that >case will result in a buffer on the heap that is too short. Into this >undersized buffer are placed 16-byte chunks of entirely attacker- >controlled data, which, although subject to consistency checks, are >not verified until after being written to memory. The server will >cease parsing once a check has failed, but by this time the heap may >have already been corrupted and the stage set for a crash or remote >code execution. > >To take advantage of this vulnerability, an attacker must cause an >unsuspecting server to ingest and parse a specially forged PAC. By >employing a Service for User to Proxy (S4U2Proxy) request, one need >only posess the key of a server within the realm to be able to encrypt >an arbitrary PAC into a ticket that the KDC will accept. Furthermore, >a compromised RODC provides the means to forge malicious tickets which >the KDC will accept and parse without question. > >================== >Patch Availability >================== > >Patches addressing these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.next, 4.16.next, and 4.17.next have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by Greg Hudson with the aid of oss-fuzz. > >Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of >the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17622">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15203
:
17565
|
17567
|
17597
|
17600
|
17617
|
17618
|
17619
|
17620
|
17621
|
17622
|
17623
|
17624
|
17625
|
17627
|
17657
|
17658
|
17659