14929 – (CVE-2022-44640) CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST

Bug 14929 (CVE-2022-44640) - CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in FAST

Summary: CVE-2022-44640 [SECURITY] Upstream Heimdal free of user-controlled pointer in...

Status:	RESOLVED FIXED

Alias:	CVE-2022-44640

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:	https://github.com/heimdal/heimdal/re...
Keywords:

Depends on:
Blocks:	15238
	Show dependency tree / graph

Reported:	2021-12-09 08:03 UTC by Andrew Bartlett
Modified:	2022-12-16 12:07 UTC (History)
CC List:	6 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/2836

Attachments
Patches for v4-17-test (6.71 KB, patch) 2022-12-06 14:04 UTC, Stefan Metzmacher	slow: review+	Details
Patch for v4-16-test (6.71 KB, patch) 2022-12-06 14:04 UTC, Stefan Metzmacher	slow: review+	Details
Patches for v4-15-test (5.38 KB, text/plain) 2022-12-07 19:04 UTC, Stefan Metzmacher	metze: ci-passed+	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2021-12-09 08:03:55 UTC

Douglas Bagnall found, using HongFuzz a free() of uninitialised data in the generated code for ASN.1.

The initial case is in the KrbFastArmoredReq, thankfully something Samba doesn't have a codepath to, however as the issue is generic we need to be careful in case another case is used.

(Samba will have a codepath to KrbFastArmoredReq once the Heimdal upgrade is merged from https://gitlab.com/samba-team/samba/-/merge_requests/2014 )

Comment 1 Andrew Bartlett 2021-12-09 22:14:07 UTC

The other codepaths towards this are in rfc2459 but a careful analysis shows that because the enums chosen by the compiler all start with value 1 and the structure is zeroed with a memset(data, 0, sizeof(*data)).

Therefore production Samba is not impacted.

Comment 2 Andrew Bartlett 2022-11-17 21:14:55 UTC

Removing embargo as Heimdal has released with this.  Samba will look to include the fix for this, for Samba 4.15 (which doesn't use a modern Heimdal and the template compiler) in the next security release on a 'to be sure' basis. 

https://github.com/heimdal/heimdal/releases/tag/heimdal-7.8.0

Comment 3 Stefan Metzmacher 2022-12-05 12:24:57 UTC

(In reply to Andrew Bartlett from comment #2)

Andrew what do we need to here for 4.15?

Comment 4 Andrew Bartlett 2022-12-05 17:47:54 UTC

I suggest we find the patch in Heimdal master, apply to our master and backport to the other releases.  Thankfully we don't even use this any more in master/4.17/4.16 but the code will be there so we can just do this via a MR like the others I think.

Comment 5 Jeffrey Altman 2022-12-05 18:25:21 UTC

I suspect the change in question is 

commit 9c9dac2b169255bad9071eea99fa90b980dde767
Author: Nicolas Williams <nico@twosigma.com>
Date:   Wed Mar 10 16:49:04 2021 -0600

    asn1: CVE-2022-44640 invalid free in ASN.1 codec

    Heimdal's ASN.1 compiler generates code that allows specially
    crafted DER encodings of CHOICEs to invoke the wrong free function
    on the decoded structure upon decode error.  This is known to impact
    the Heimdal KDC, leading to an invalid free() of an address partly
    or wholly under the control of the attacker, in turn leading to a
    potential remote code execution (RCE) vulnerability.

    This error affects the DER codec for all CHOICE types used in
    Heimdal, though not all cases will be exploitable.  We have not
    completed a thorough analysis of all the Heimdal components
    affected, thus the Kerberos client, the X.509 library, and other
    parts, may be affected as well.

    This bug has been in Heimdal since 2005.  It was first reported by
    Douglas Bagnall, though it had been found independently by the
    Heimdal maintainers via fuzzing a few weeks earlier.

Comment 6 Samba QA Contact 2022-12-06 13:42:07 UTC

This bug was referenced in samba master:

5a02915913a2410904886e186ada90a36492571f
68fc909a7f4d69c254d34bec85cf8431bcb6e72f

Comment 7 Stefan Metzmacher 2022-12-06 14:04:12 UTC

Created attachment 17675 [details]
Patches for v4-17-test

Comment 8 Stefan Metzmacher 2022-12-06 14:04:39 UTC

Created attachment 17676 [details]
Patch for v4-16-test

Comment 9 Stefan Metzmacher 2022-12-06 14:07:49 UTC

Andrew, the fix doesn't apply to v4-15, do we need a different patch or can we drop it there?

Comment 10 Stefan Metzmacher 2022-12-06 14:22:05 UTC

I'm changing from CVE-2021-44758 to CVE-2022-44640 (the one used in the commit message)

Comment 11 Stefan Metzmacher 2022-12-06 14:27:20 UTC

Pushed to autobuild-v4-{16,17}-test

Comment 12 Samba QA Contact 2022-12-06 15:29:04 UTC

This bug was referenced in samba v4-16-test:

d7eccdbb0285ee2c1b07377471215692e9c7f3d0
2736d267aa9cfd49bd1c9a934d4788a2b9c49809

Comment 13 Samba QA Contact 2022-12-06 16:04:03 UTC

This bug was referenced in samba v4-17-test:

7b90f5c8296eeeeeebed5c2f969a96e78708d848
7bb1180c5adf98220962ee23938dc708ebd7bd02

Comment 14 Andrew Bartlett 2022-12-06 18:05:39 UTC

(In reply to Stefan Metzmacher from comment #9)
I'll figure out what is needed for 4.15 today.  This needs to be fixed in 4.15 as that is where we actually run this code (even if harmlessly, per our current analysis).

Comment 15 Andrew Bartlett 2022-12-07 09:25:12 UTC

Despite the scary advisory in upstream Heimdal, Samba is not currently known to be vulnerable to this issue because we don't have a path to the vulnerable FAST functionality that decodes KrbFastArmoredReq in Samba 4.15 and used a newer ASN.1 parser in Samba 4.16 and 4.17

See comment #1 for our analysis regarding other structures in use.

Despite this, we want the patch to be included in supported releases so that we can't become vulnerable if a feature is backported (for 4.15) or the codegen ASN.1 backend is selected for some reason in the future (for 4.16 and 4.17).

Comment 16 Samba QA Contact 2022-12-07 18:57:36 UTC

This bug was referenced in samba v4-15-test:

b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f
73c7c6ec9bc3a1993e766f119e9e29905ded5e28

Comment 17 Stefan Metzmacher 2022-12-07 19:04:57 UTC

Created attachment 17679 [details]
Patches for v4-15-test

This is already in v4-15-test

Comment 18 Stefan Metzmacher 2022-12-07 19:13:07 UTC

Comment on attachment 17679 [details]
Patches for v4-15-test

These are already in v4-15-test, they passed a private autobuild

Comment 19 Stefan Metzmacher 2022-12-12 15:56:51 UTC

Will be in the next 4.15, 4.16 and 4.17 releases.

Comment 20 Samba QA Contact 2022-12-15 16:31:22 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.13):

b4c3ce6fb9b2aebbbe7d802ce48c691a9cabcf4f
73c7c6ec9bc3a1993e766f119e9e29905ded5e28

Comment 21 Samba QA Contact 2022-12-15 16:34:15 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.4):

7b90f5c8296eeeeeebed5c2f969a96e78708d848
7bb1180c5adf98220962ee23938dc708ebd7bd02

Comment 22 Samba QA Contact 2022-12-15 16:35:06 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.8):

d7eccdbb0285ee2c1b07377471215692e9c7f3d0
2736d267aa9cfd49bd1c9a934d4788a2b9c49809