The KDC doesn’t allocate enough memory for the ‘heim_octet_string’ containing the freshness token.
This is hard to score. If there is any impact at all, it is likely to be a DoS, but there is a chance that some other other thing is in the area the malloc() result pointer is written do. Repeated testing on x86_64 Linux has not even seen a crash. https://www.first.org/cvss/calculator/3.1#CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:H Either way, while a CVE has been requested (to ensure that everyone picks up Samba 4.19.1 next week with this in it), a new security release feels unwarranted. (I had scored this as 5.0 previously which is why this didn't get discussed, but re-scoring today I get a higher score for some reason).
Update, this requires authentication, so CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:H (5.9)
This bug was referenced in samba master: 3280893ae80507e36653a0c7da03c82b88ece30b
Created attachment 18156 [details] patch for Samba 4.19
Created attachment 18158 [details] patch v2 for Samba 4.19
Assigning to Jule for Samba 4.19.2
Pushed to autobuild-v4-19-test.
This bug was referenced in samba v4-19-test: f0da8219262ba7c3e066d4f519063edf26f36b88
Closing out bug report. Thanks!
This bug was referenced in samba v4-19-stable (Release samba-4.19.2): f0da8219262ba7c3e066d4f519063edf26f36b88