Bug 14929 (CVE-2022-44640) - CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST
Summary: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in...
Alias: CVE-2022-44640
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL: https://github.com/heimdal/heimdal/re...
Depends on:
Blocks: 15238
  Show dependency treegraph
Reported: 2021-12-09 08:03 UTC by Andrew Bartlett
Modified: 2022-12-16 12:07 UTC (History)
6 users (show)

See Also:

Patches for v4-17-test (6.71 KB, patch)
2022-12-06 14:04 UTC, Stefan Metzmacher
slow: review+
Patch for v4-16-test (6.71 KB, patch)
2022-12-06 14:04 UTC, Stefan Metzmacher
slow: review+
Patches for v4-15-test (5.38 KB, text/plain)
2022-12-07 19:04 UTC, Stefan Metzmacher
metze: ci-passed+

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-12-09 08:03:55 UTC
Douglas Bagnall found, using HongFuzz a free() of uninitialised data in the generated code for ASN.1.

The initial case is in the KrbFastArmoredReq, thankfully something Samba doesn't have a codepath to, however as the issue is generic we need to be careful in case another case is used.

(Samba will have a codepath to KrbFastArmoredReq once the Heimdal upgrade is merged from https://gitlab.com/samba-team/samba/-/merge_requests/2014 )
Comment 1 Andrew Bartlett 2021-12-09 22:14:07 UTC
The other codepaths towards this are in rfc2459 but a careful analysis shows that because the enums chosen by the compiler all start with value 1 and the structure is zeroed with a memset(data, 0, sizeof(*data)).

Therefore production Samba is not impacted.
Comment 2 Andrew Bartlett 2022-11-17 21:14:55 UTC
Removing embargo as Heimdal has released with this.  Samba will look to include the fix for this, for Samba 4.15 (which doesn't use a modern Heimdal and the template compiler) in the next security release on a 'to be sure' basis. 

Comment 3 Stefan Metzmacher 2022-12-05 12:24:57 UTC
(In reply to Andrew Bartlett from comment #2)

Andrew what do we need to here for 4.15?
Comment 4 Andrew Bartlett 2022-12-05 17:47:54 UTC
I suggest we find the patch in Heimdal master, apply to our master and backport to the other releases.  Thankfully we don't even use this any more in master/4.17/4.16 but the code will be there so we can just do this via a MR like the others I think.
Comment 5 Jeffrey Altman 2022-12-05 18:25:21 UTC
I suspect the change in question is 

commit 9c9dac2b169255bad9071eea99fa90b980dde767
Author: Nicolas Williams <nico@twosigma.com>
Date:   Wed Mar 10 16:49:04 2021 -0600

    asn1: CVE-2022-44640 invalid free in ASN.1 codec

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all CHOICE types used in
    Heimdal, though not all cases will be exploitable.  We have not
    completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal since 2005.  It was first reported by
    Douglas Bagnall, though it had been found independently by the
    Heimdal maintainers via fuzzing a few weeks earlier.
Comment 6 Samba QA Contact 2022-12-06 13:42:07 UTC
This bug was referenced in samba master:

Comment 7 Stefan Metzmacher 2022-12-06 14:04:12 UTC
Created attachment 17675 [details]
Patches for v4-17-test
Comment 8 Stefan Metzmacher 2022-12-06 14:04:39 UTC
Created attachment 17676 [details]
Patch for v4-16-test
Comment 9 Stefan Metzmacher 2022-12-06 14:07:49 UTC
Andrew, the fix doesn't apply to v4-15, do we need a different patch or can we drop it there?
Comment 10 Stefan Metzmacher 2022-12-06 14:22:05 UTC
I'm changing from CVE-2021-44758 to CVE-2022-44640 (the one used in the commit message)
Comment 11 Stefan Metzmacher 2022-12-06 14:27:20 UTC
Pushed to autobuild-v4-{16,17}-test
Comment 12 Samba QA Contact 2022-12-06 15:29:04 UTC
This bug was referenced in samba v4-16-test:

Comment 13 Samba QA Contact 2022-12-06 16:04:03 UTC
This bug was referenced in samba v4-17-test:

Comment 14 Andrew Bartlett 2022-12-06 18:05:39 UTC
(In reply to Stefan Metzmacher from comment #9)
I'll figure out what is needed for 4.15 today.  This needs to be fixed in 4.15 as that is where we actually run this code (even if harmlessly, per our current analysis).
Comment 15 Andrew Bartlett 2022-12-07 09:25:12 UTC
Despite the scary advisory in upstream Heimdal, Samba is not currently known to be vulnerable to this issue because we don't have a path to the vulnerable FAST functionality that decodes KrbFastArmoredReq in Samba 4.15 and used a newer ASN.1 parser in Samba 4.16 and 4.17

See comment #1 for our analysis regarding other structures in use.

Despite this, we want the patch to be included in supported releases so that we can't become vulnerable if a feature is backported (for 4.15) or the codegen ASN.1 backend is selected for some reason in the future (for 4.16 and 4.17).
Comment 16 Samba QA Contact 2022-12-07 18:57:36 UTC
This bug was referenced in samba v4-15-test:

Comment 17 Stefan Metzmacher 2022-12-07 19:04:57 UTC
Created attachment 17679 [details]
Patches for v4-15-test

This is already in v4-15-test
Comment 18 Stefan Metzmacher 2022-12-07 19:13:07 UTC
Comment on attachment 17679 [details]
Patches for v4-15-test

These are already in v4-15-test, they passed a private autobuild
Comment 19 Stefan Metzmacher 2022-12-12 15:56:51 UTC
Will be in the next 4.15, 4.16 and 4.17 releases.
Comment 20 Samba QA Contact 2022-12-15 16:31:22 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.13):

Comment 21 Samba QA Contact 2022-12-15 16:34:15 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.4):

Comment 22 Samba QA Contact 2022-12-15 16:35:06 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.8):