Bug 15491 (CVE-2023-5568) - CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the Heimdal KDC in Samba 4.19
Summary: CVE-2023-5568 [SECURITY] Heap buffer overflow with freshness tokens in the He...
Alias: CVE-2023-5568
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.19.0rc2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
Depends on:
Reported: 2023-10-09 23:03 UTC by Jo Sutton
Modified: 2023-10-16 14:20 UTC (History)
2 users (show)

See Also:

patch for Samba 4.19 (1.99 KB, patch)
2023-10-13 00:34 UTC, Jo Sutton
no flags Details
patch v2 for Samba 4.19 (2.01 KB, patch)
2023-10-15 22:05 UTC, Jo Sutton
abartlet: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Jo Sutton 2023-10-09 23:03:01 UTC
The KDC doesn’t allocate enough memory for the ‘heim_octet_string’ containing the freshness token.
Comment 1 Andrew Bartlett 2023-10-10 20:44:37 UTC
This is hard to score.  If there is any impact at all, it is likely to be a DoS, but there is a chance that some other other thing is in the area the malloc() result pointer is written do.

Repeated testing on x86_64 Linux has not even seen a crash. 


Either way, while a CVE has been requested (to ensure that everyone picks up Samba 4.19.1 next week with this in it), a new security release feels unwarranted.   (I had scored this as 5.0 previously which is why this didn't get discussed, but re-scoring today I get a higher score for some reason).
Comment 2 Andrew Bartlett 2023-10-10 22:07:06 UTC
Update, this requires authentication, so 

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H (5.9)
Comment 3 Samba QA Contact 2023-10-13 00:12:05 UTC
This bug was referenced in samba master:

Comment 4 Jo Sutton 2023-10-13 00:34:19 UTC
Created attachment 18156 [details]
patch for Samba 4.19
Comment 5 Jo Sutton 2023-10-15 22:05:54 UTC
Created attachment 18158 [details]
patch v2 for Samba 4.19
Comment 6 Andrew Bartlett 2023-10-16 01:08:26 UTC
Assigning to Jule for Samba 4.19.2
Comment 7 Jule Anger 2023-10-16 07:30:36 UTC
Pushed to autobuild-v4-19-test.
Comment 8 Samba QA Contact 2023-10-16 08:29:04 UTC
This bug was referenced in samba v4-19-test:

Comment 9 Jule Anger 2023-10-16 13:21:55 UTC
Closing out bug report.

Comment 10 Samba QA Contact 2023-10-16 14:20:32 UTC
This bug was referenced in samba v4-19-stable (Release samba-4.19.2):