Bug 15134 (CVE-2022-3437) - CVE-2022-3437 [SECURITY] Heimdal des/des3 overflow
Summary: CVE-2022-3437 [SECURITY] Heimdal des/des3 overflow
Status: RESOLVED FIXED
Alias: CVE-2022-3437
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.16.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on: 15193
Blocks:
  Show dependency treegraph
 
Reported: 2022-08-02 19:27 UTC by Andrew Bartlett
Modified: 2022-10-25 14:52 UTC (History)
8 users (show)

See Also:


Attachments
details supplied by the reporter (3.47 KB, application/x-compressed-tar)
2022-08-02 19:27 UTC, Andrew Bartlett
no flags Details
patch for heimdal (3.91 KB, patch)
2022-08-15 08:31 UTC, Joseph Sutton
no flags Details
Initial advisory without versions or CVE number (2.27 KB, text/plain)
2022-10-06 02:04 UTC, Andrew Bartlett
no flags Details
v2 advisory (2.47 KB, text/plain)
2022-10-06 02:50 UTC, Andrew Bartlett
no flags Details
Initial advisory without versions or CVE number (v3) (2.46 KB, text/plain)
2022-10-06 03:56 UTC, Andrew Bartlett
jsutton: review+
Details
patch (v1) for master, 4.17 and 4.16 (5.06 KB, patch)
2022-10-06 04:42 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
patch (v1) for 4.12, 4.15 (and earlier versions) (5.00 KB, patch)
2022-10-06 04:51 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
patch (v2) for master, 4.17 and 4.16 (60.87 KB, patch)
2022-10-12 06:16 UTC, Joseph Sutton
no flags Details
patch (v2) for heimdal (12.66 KB, patch)
2022-10-12 06:17 UTC, Joseph Sutton
no flags Details
patch (v2) for 4.12, 4.15 (and earlier versions) (61.52 KB, patch)
2022-10-12 07:25 UTC, Joseph Sutton
no flags Details
patch (v2a) for 4.12, 4.15 (and earlier versions) (61.48 KB, patch)
2022-10-12 07:34 UTC, Joseph Sutton
no flags Details
Advisory with version numbers and CVE (v4) (2.52 KB, text/plain)
2022-10-12 19:22 UTC, Andrew Bartlett
no flags Details
Patch for Samba master (v3) (62.10 KB, patch)
2022-10-12 22:43 UTC, Andrew Bartlett
jsutton: review+
Details
Patch for Samba master (v4) (62.65 KB, patch)
2022-10-12 23:52 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
Patch for Samba 4.17 (v4)(against 4.17.0) (62.69 KB, patch)
2022-10-12 23:53 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
Patch for Samba 4.16 (v4) (62.69 KB, patch)
2022-10-12 23:54 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
Patch for Samba 4.15 (v4) (63.08 KB, patch)
2022-10-13 00:04 UTC, Andrew Bartlett
jsutton: review-
Details
Patch for Samba 4.15 (v4a) (63.22 KB, patch)
2022-10-13 01:03 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
Patch for Heimdal master (v4) (13.64 KB, patch)
2022-10-13 06:23 UTC, Joseph Sutton
no flags Details
Patch for Samba 4.12 (v4a) (63.34 KB, patch)
2022-10-14 19:25 UTC, Andrew Bartlett
jsutton: review+
abartlet: ci-passed+
Details
Advisory v5 updated with new version as 4.17.2 (2.52 KB, text/plain)
2022-10-18 22:36 UTC, Andrew Bartlett
abartlet: review? (dbagnall)
Details
Patch for Samba 4.17 (v4) (against 4.17.1) (62.63 KB, patch)
2022-10-24 10:13 UTC, Jule Anger
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-08-02 19:27:27 UTC
Created attachment 17455 [details]
details supplied by the reporter

Evgeny Legerov of Intevydis reports a heap overflow in Heimdal when decrypting an incoming GSSAPI buffer if the encryption type can be forced to des3 or DES. 

(Modern Samba versions do not build Heimdal with the WEAK_CRYTPO define for DES, but DES3 is still permitted). 

This bug is to track our efforts to confirm, fix and coordinate addressing this issue.
Comment 1 Joseph Sutton 2022-08-15 08:31:29 UTC
Created attachment 17474 [details]
patch for heimdal

I have not managed to reproduce this bug in Samba. Even if I force DES3 keys, I always saw _gsskrb5_unwrap() taking this branch:

  if (ctx->more_flags & IS_CFX)
      return _gssapi_unwrap_cfx (minor_status, ctx, context,
				 input_message_buffer, output_message_buffer,
				 conf_state, qop_state);

which bypasses unwrap_des3() completely.

Nevertheless, I tested this patch against Heimdal and I think it prevents the overflows in unwrap_des3(). I have not tested it with single-DES.
Comment 2 Joseph Sutton 2022-08-19 04:01:11 UTC
I have since been able to reproduce this in Samba by commenting out the AES encryption types and manually setting the contents of the input buffer in unwrap_des3(). The buffer that we overflow is normally allocated by data_blob_talloc().
Comment 3 Joseph Sutton 2022-08-19 04:24:19 UTC
I can get the server to call unwrap_des3() with no server-side changes, by commenting out the AES encryption types on the client and using ldbsearch.
Comment 4 Andrew Bartlett 2022-10-06 02:04:22 UTC
Created attachment 17539 [details]
Initial advisory without versions or CVE number

This is my first draft of an advisory, it needs some work but should describe the issue as a start.
Comment 5 Andrew Bartlett 2022-10-06 02:50:49 UTC
Created attachment 17540 [details]
v2 advisory

Updated after feedback.
Comment 6 Jeffrey Altman 2022-10-06 03:02:18 UTC
v2_advisory looks good to me.
Comment 7 Andrew Bartlett 2022-10-06 03:55:13 UTC
(In reply to Jeffrey Altman from comment #6)
Thanks!
Comment 8 Andrew Bartlett 2022-10-06 03:55:35 UTC
(In reply to Jeffrey Altman from comment #6)
Thanks!
Comment 9 Andrew Bartlett 2022-10-06 03:56:50 UTC
Created attachment 17541 [details]
Initial advisory without versions or CVE number (v3)

This fixes some spelling.
Comment 10 Andrew Bartlett 2022-10-06 04:42:34 UTC
Created attachment 17542 [details]
patch (v1) for master, 4.17 and 4.16

A followup patch with the correct CVE number on it will be split into one-per-version per our standard procedure.
Comment 11 Andrew Bartlett 2022-10-06 04:51:41 UTC
Created attachment 17543 [details]
patch (v1) for 4.12, 4.15 (and earlier versions)
Comment 12 Joseph Sutton 2022-10-12 06:16:05 UTC
Created attachment 17549 [details]
patch (v2) for master, 4.17 and 4.16
Comment 13 Joseph Sutton 2022-10-12 06:17:45 UTC
Created attachment 17550 [details]
patch (v2) for heimdal
Comment 14 Joseph Sutton 2022-10-12 07:25:22 UTC
Created attachment 17551 [details]
patch (v2) for 4.12, 4.15 (and earlier versions)
Comment 15 Joseph Sutton 2022-10-12 07:34:22 UTC
Created attachment 17552 [details]
patch (v2a) for 4.12, 4.15 (and earlier versions)

Reuploading; this time I remembered to correct 'third_party/heimdal' to 'source4/heimdal' in the commit messages.
Comment 16 Andrew Bartlett 2022-10-12 19:22:36 UTC
Created attachment 17553 [details]
Advisory with version numbers and CVE (v4)
Comment 17 Andrew Bartlett 2022-10-12 19:59:25 UTC
Comment on attachment 17552 [details]
patch (v2a) for 4.12, 4.15 (and earlier versions)

In "lib/gssapi/krb5: Avoid undefined behaviour in _gssapi_verify_pad()" we lost the longer commit message that was in the v1 patch that explained this better. 

In "CVE-2022-3437 lib/gssapi/krb5: Check buffer length against overflow for DES{,3} unwrap" the swapping of <  and > in the length check tests is confusing, we should do one or the other.   

I've checked the integer math in "lib/gssapi/krb5: Check for overflow in
 _gsskrb5_get_mech()" and while it makes me nervous, I can't find any other flaws.


I'll upload an updated set of patches.
Comment 18 Andrew Bartlett 2022-10-12 22:43:17 UTC
Created attachment 17554 [details]
Patch for Samba master (v3)
Comment 19 Andrew Bartlett 2022-10-12 23:52:48 UTC
Created attachment 17555 [details]
Patch for Samba master (v4)
Comment 20 Andrew Bartlett 2022-10-12 23:53:32 UTC
Created attachment 17556 [details]
Patch for Samba 4.17 (v4)(against 4.17.0)
Comment 21 Andrew Bartlett 2022-10-12 23:54:14 UTC
Created attachment 17557 [details]
Patch for Samba 4.16 (v4)
Comment 22 Joseph Sutton 2022-10-13 00:01:21 UTC
Comment on attachment 17553 [details]
Advisory with version numbers and CVE (v4)

4.16.6 appears to be the next 4.16 version scheduled for release, but this advisory refers to 4.16.7. Is that correct?
Comment 23 Andrew Bartlett 2022-10-13 00:04:14 UTC
Created attachment 17558 [details]
Patch for Samba 4.15 (v4)

This 4.15 patch depends on patches in bug 15193 for the pipelines to pass as we lost the old CI image.
Comment 24 Joseph Sutton 2022-10-13 00:46:40 UTC
Comment on attachment 17558 [details]
Patch for Samba 4.15 (v4)

This fails to build with MIT Kerberos. We need to add the following lines in CVE-2022-3437 s4/auth/tests: Add unit tests for unwrap_des3():

diff --git a/source4/auth/wscript_build b/source4/auth/wscript_build
index 19ac5d0ef90..01b2f280609 100644
--- a/source4/auth/wscript_build
+++ b/source4/auth/wscript_build
@@ -54,6 +54,8 @@ bld.SAMBA_BINARY('test_heimdal_gensec_unwrap_des',
                  deps='cmocka talloc gssapi-subsystem',
                  local_include=False,
                  for_selftest=True,
+                 enabled=(bld.CONFIG_SET('SAMBA4_USES_HEIMDAL') and
+                          not bld.CONFIG_SET('USING_SYSTEM_GSSAPI')),
                  ldflags='''
                  -Wl,--wrap,ct_memcmp
                  -Wl,--wrap,der_get_length
Comment 25 Andrew Bartlett 2022-10-13 01:03:00 UTC
Created attachment 17559 [details]
Patch for Samba 4.15 (v4a)

Thanks.  This seems to work.  A new pipeline is running.
Comment 26 Andrew Bartlett 2022-10-13 06:04:29 UTC
Assigning to Jule for the release on 25 October 2022 and opening to vendors.
Comment 27 Joseph Sutton 2022-10-13 06:23:25 UTC
Created attachment 17561 [details]
Patch for Heimdal master (v4)
Comment 28 Andrew Bartlett 2022-10-14 19:25:25 UTC
Created attachment 17564 [details]
Patch for Samba 4.12 (v4a)

The tested basis for these patches is this release:

https://gitlab.com/catalyst-samba/samba/-/releases/catalyst-4.12-backports-2022-10
Comment 29 Andrew Bartlett 2022-10-18 22:36:31 UTC
Created attachment 17577 [details]
Advisory v5 updated with new version as 4.17.2

Samba 4.17.1 will be released early, so this will be 4.17.2
Comment 30 Jule Anger 2022-10-24 10:13:12 UTC
Created attachment 17598 [details]
Patch for Samba 4.17 (v4) (against 4.17.1)

The patch for 4.17 cannot be applied to 4.17.1.

Use this patch to apply to 4.17.1 and the other 4.17 patch (https://bugzilla.samba.org/attachment.cgi?id=17556) to apply to 4.17.0.
Comment 31 Samba QA Contact 2022-10-25 09:12:35 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.11):

fe1204d9da2c6f761c4dc4421f67057b10eaf430
a49a3ac8e082921c2793a073b5991c4693f167ab
310bffc085514f9ceba5b3501ddef15807c53809
c22914f845b3eba1c9ad444333f3d044352b7e2c
5f6dbf2ab29bcd30c701cab3daecf5a6a53a44cd
9f6f1e01aca4f00a5d23127803c81939253e0577
5a62eb5734d50fe556934aefa3bac5698372f00e
ebac8bf0478e19849f83af6d44b73d7ab3afd25b
1aca34515515f2cb00fbf5ad8b9212b319f01836
77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985
e9db03736007721e37c4fba847ce4aa0c4520924
Comment 32 Samba QA Contact 2022-10-25 09:12:47 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.2):

16ea178f162368741666b990b4f26751310e0ac6
d5a06cd54e015573769efc6aeb3327454b7de7ac
846fbd0456ab7eb435dd7438cf6c5a288f6f8fbd
2ee62a7c9ff96fd09efa87161a09a8539a99900f
abb3f7f1e3ec90146f4f805886cbbaf8ac38a5de
24099e348199c8e34f18c40e5ee42838a6e4529f
c06f2e9ce24c0d945eb597e71fb286df92d23415
a0cd16f084d70185b0de9151d0d259a634a31e96
0de566954eccc44c5892e62005a8bd4e725ea7d3
f33f8a515b0f44db58ebeb7274a3118277143a4f
3007e32072f5b34b4ca403b9d52100627c3a74d2
Comment 33 Samba QA Contact 2022-10-25 09:13:04 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.6):

0eaa68d1935236c0a6188ba1ba078db507887e6c
c5dd87f488820e180649e6fd3597bce4ffa24fdc
03eefa45d38ca3eade2018767421bb60ba65d58b
e3c314ed69f99db1c797772fbda83820352d5387
9ca9408c5edf807de9fba9f59eabd899c79458a9
c944773adc421b3f85a8166fa2d9733e3e9a10c2
e1c2e2836efaa895d817b5611bf908284c3d415d
de77f0159873fb0c569c02cee5aa492af8e3f461
d16ac1f4057ec0c26768f04f00c512abf271be7f
22dd9072c9f964931db931ee0b638a9799e947ca
5c31d5beb3bed6b28c8d648d889c47e69c16cc8e
Comment 34 Jule Anger 2022-10-25 09:38:02 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  
If you wish to continue to be informed about any changes here please CC individually.
Comment 35 Samba QA Contact 2022-10-25 09:45:52 UTC
This bug was referenced in samba v4-15-test:

fe1204d9da2c6f761c4dc4421f67057b10eaf430
a49a3ac8e082921c2793a073b5991c4693f167ab
310bffc085514f9ceba5b3501ddef15807c53809
c22914f845b3eba1c9ad444333f3d044352b7e2c
5f6dbf2ab29bcd30c701cab3daecf5a6a53a44cd
9f6f1e01aca4f00a5d23127803c81939253e0577
5a62eb5734d50fe556934aefa3bac5698372f00e
ebac8bf0478e19849f83af6d44b73d7ab3afd25b
1aca34515515f2cb00fbf5ad8b9212b319f01836
77e0f2febaaf4d6e5e42f8e73a1f8f3c0e4a2985
e9db03736007721e37c4fba847ce4aa0c4520924
Comment 36 Samba QA Contact 2022-10-25 09:48:43 UTC
This bug was referenced in samba v4-17-test:

16ea178f162368741666b990b4f26751310e0ac6
d5a06cd54e015573769efc6aeb3327454b7de7ac
846fbd0456ab7eb435dd7438cf6c5a288f6f8fbd
2ee62a7c9ff96fd09efa87161a09a8539a99900f
abb3f7f1e3ec90146f4f805886cbbaf8ac38a5de
24099e348199c8e34f18c40e5ee42838a6e4529f
c06f2e9ce24c0d945eb597e71fb286df92d23415
a0cd16f084d70185b0de9151d0d259a634a31e96
0de566954eccc44c5892e62005a8bd4e725ea7d3
f33f8a515b0f44db58ebeb7274a3118277143a4f
3007e32072f5b34b4ca403b9d52100627c3a74d2
Comment 37 Samba QA Contact 2022-10-25 09:57:52 UTC
This bug was referenced in samba v4-16-test:

0eaa68d1935236c0a6188ba1ba078db507887e6c
c5dd87f488820e180649e6fd3597bce4ffa24fdc
03eefa45d38ca3eade2018767421bb60ba65d58b
e3c314ed69f99db1c797772fbda83820352d5387
9ca9408c5edf807de9fba9f59eabd899c79458a9
c944773adc421b3f85a8166fa2d9733e3e9a10c2
e1c2e2836efaa895d817b5611bf908284c3d415d
de77f0159873fb0c569c02cee5aa492af8e3f461
d16ac1f4057ec0c26768f04f00c512abf271be7f
22dd9072c9f964931db931ee0b638a9799e947ca
5c31d5beb3bed6b28c8d648d889c47e69c16cc8e
Comment 38 Samba QA Contact 2022-10-25 11:28:12 UTC
This bug was referenced in samba master:

cd48f2da59f48caa20e7ac652c958182671e804b
ec456766d53da45c9d3edcb382569768cbef60dd
c8e85295c988d653c3c425e0c4b8900f30fa1bba
16120b736f28e85e7b46f8c69b7aa02073b2e26c
dffc997adaccaa0980911b62473470cb80969700
ad9d1690ed51d73fbfb7dcb07c6ecb7750cab290
ba60f647524ec12b3b5901680c5922d6b2490420
841b6ddcf2a80c085ed6159ec9d420f37ceb691e
2d0ad4ede7b391af3f38cd3664dc04c7ceea76e8
d12bd2cd50b45e064e5bea5a99c826ef156b4e64
2671f995fed735bb03d9efd55d6603b35141ff38
Comment 39 Jule Anger 2022-10-25 14:52:48 UTC
Closing out bug report.

Thanks!