15491 – (CVE-2023-5568) CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19

Bug 15491 (CVE-2023-5568) - CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19

Summary: CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the He...

Status:	RESOLVED FIXED

Alias:	CVE-2023-5568

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.19.0rc2
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2023-10-09 23:03 UTC by Jo Sutton
Modified:	2023-10-16 14:20 UTC (History)
CC List:	2 users (show)

See Also:	https://gitlab.com/samba-team/samba/-/merge_requests/3310

Attachments
patch for Samba 4.19 (1.99 KB, patch) 2023-10-13 00:34 UTC, Jo Sutton	no flags	Details
patch v2 for Samba 4.19 (2.01 KB, patch) 2023-10-15 22:05 UTC, Jo Sutton	abartlet: review+	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jo Sutton 2023-10-09 23:03:01 UTC

The KDC doesn’t allocate enough memory for the ‘heim_octet_string’ containing the freshness token.

Comment 1 Andrew Bartlett 2023-10-10 20:44:37 UTC

This is hard to score.  If there is any impact at all, it is likely to be a DoS, but there is a chance that some other other thing is in the area the malloc() result pointer is written do.

Repeated testing on x86_64 Linux has not even seen a crash. 

https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H


Either way, while a CVE has been requested (to ensure that everyone picks up Samba 4.19.1 next week with this in it), a new security release feels unwarranted.   (I had scored this as 5.0 previously which is why this didn't get discussed, but re-scoring today I get a higher score for some reason).

Comment 2 Andrew Bartlett 2023-10-10 22:07:06 UTC

Update, this requires authentication, so 

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H (5.9)

Comment 3 Samba QA Contact 2023-10-13 00:12:05 UTC

This bug was referenced in samba master:

3280893ae80507e36653a0c7da03c82b88ece30b

Comment 4 Jo Sutton 2023-10-13 00:34:19 UTC

Created attachment 18156 [details]
patch for Samba 4.19

Comment 5 Jo Sutton 2023-10-15 22:05:54 UTC

Created attachment 18158 [details]
patch v2 for Samba 4.19

Comment 6 Andrew Bartlett 2023-10-16 01:08:26 UTC

Assigning to Jule for Samba 4.19.2

Comment 7 Jule Anger 2023-10-16 07:30:36 UTC

Pushed to autobuild-v4-19-test.

Comment 8 Samba QA Contact 2023-10-16 08:29:04 UTC

This bug was referenced in samba v4-19-test:

f0da8219262ba7c3e066d4f519063edf26f36b88

Comment 9 Jule Anger 2023-10-16 13:21:55 UTC

Closing out bug report.

Thanks!

Comment 10 Samba QA Contact 2023-10-16 14:20:32 UTC

This bug was referenced in samba v4-19-stable (Release samba-4.19.2):

f0da8219262ba7c3e066d4f519063edf26f36b88