The Samba-Bugzilla – Attachment 17625 Details for
Bug 15203
CVE-2022-42898 [SECURITY] krb5_pac_parse() buffer parsing vulnerability
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v2
CVE-2022-42898-advisory-v2.txt (text/plain), 2.67 KB, created by
Andrew Bartlett
on 2022-11-04 08:38:40 UTC
(
hide
)
Description:
Advisory v2
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2022-11-04 08:38:40 UTC
Size:
2.67 KB
patch
obsolete
>=========================================================== >== Subject: Samba buffer overflow vulnerabilities on 32-bit >== systems >== >== CVE ID#: CVE-2022-42898 >== >== Versions: All versions of Samba prior to 4.15.next, 4.16.next, 4.17.next >== >== Summary: Samba's Kerberos libraries and AD DC failed to guard >== against integer overflows when parsing a PAC on a 32-bit >== system, which allowed an attacker with a forged PAC to >== corrupt the heap. >=========================================================== > >=========== >Description >=========== > >The Kerberos libraries used by Samba provide a mechanism for >authenticating a user or service by means of tickets that can contain >Privilege Attribute Certificates (PACs). > >Both the Heimdal and MIT Kerberos libraries, and so the embedded >Heimdal shipped by Samba suffer from an integer multiplication >overflow when calculating how many bytes to allocate for a buffer for >the parsed PAC. > >On a 32-bit system an overflow allows placement of 16-byte chunks of >entirely attacker- controlled data. > >(Because the user's control over this calculation is limited to an >unsigned 32-bit value, 64-bit systems are not impacted). > >The server most vulnerable is the KDC, as it will parse an >attacker-controlled PAC in the S4U2Proxy handler. > >The secondary risk is to Kerberos-enabled file server installations in >a non-AD realm. A non-AD Heimdal KDC controlling such a realm may >pass on an attacker-controlled PAC within the service ticket. > >================== >Patch Availability >================== > >Patches addressing these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.next, 4.16.next, and 4.17.next have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4) > >========================== >Workaround and mitigations >========================== > >* No workaround on 32-bit systems as an AD DC >* file servers are only impacted if in a non-AD domain >* 64-bit systems are not exploitable. > >======= >Credits >======= > >Originally reported by Greg Hudson with the aid of oss-fuzz. > >Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of >Catlyst and the Samba team. > >Advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the >Samba Team based on text and analysis by Greg Hudson. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17625">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
jsutton
:
review+
ghudson
:
review+
Actions:
View
Attachments on
bug 15203
:
17565
|
17567
|
17597
|
17600
|
17617
|
17618
|
17619
|
17620
|
17621
|
17622
|
17623
|
17624
| 17625 |
17627
|
17657
|
17658
|
17659