The Samba-Bugzilla – Attachment 17926 Details for
Bug 15072
CVE-2022-2127 [SECURITY] lm_resp_len not checked properly in winbindd_pam_auth_crap_send()
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3
CVE-2022-2127-advisory-v3.txt (text/plain), 2.73 KB, created by
Andrew Bartlett
on 2023-06-19 06:23:22 UTC
(
hide
)
Description:
Advisory v3
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-06-19 06:23:22 UTC
Size:
2.73 KB
patch
obsolete
> >TODO: $VERSION > >=========================================================== >== Subject: Out-Of-Bounds read in winbind AUTH_CRAP >== >== CVE ID#: CVE-2022-2127 >== >== Versions: All versions up to $VERSION >== >== Summary: When winbind is used for NTLM > authentication, a maliciously crafted > request can trigger an out-of-bounds read > in winbind and possibly crash it. >=========================================================== > >=========== >Description >=========== > >When doing NTLM authentication, the client sends replies to >cryptographic challenges back to the server. These replies >have variable length. Winbind did not properly bounds-check >the lan manager response length, which despite the lan >manager version no longer being used is still part of the >protocol. > >If the system is running Samba's ntlm_auth as authentication backend >for services like Squid (or a very unusual configuration with >FreeRADIUS), the vulnarebility is remotely exploitable > >If not so configured, or to exploit this vulnerability locally, the >user must have access to the privileged winbindd UNIX domain >socket (a subdirectory with name 'winbindd_privileged' under "state >directory", as set in the smb.conf). > >This access is normally only given so special system services like >Squid or FreeRADIUS, that use this feature. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >A local exploit, for systems without ntlm_auth configured: > >CVSS3.1:AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.4) > >The remote exploit With ntlm_auth configured: > >CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9) > >========== >Workaround >========== > >Delegated access to this facility is done via group ownership and >group membership. > >The group owner of the 'winbindd_privileged' subfolder under the path >given by > testparm -s /path/to/smb.conf --parameter-name='state directory' >can be changed to root, or the group members reduced, if the NTLM >authentication feature of tools like Squid and FreeRADIUS is not in >use. > >The 0750 permissions must however be retained, as winbindd will >otherwise fail to start. > >As reassurance, smbd will continue to use this feature and will >always access this path as root. > >======= >Credits >======= > >Found through a coverity finding, fixed by the Samba Team > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15072
:
17292
|
17293
|
17909
|
17923
|
17924
| 17926 |
17927
|
17939
|
17940
|
17949
|
17954
|
17955
|
17956
|
17957