=========================================================== == Subject: Samba buffer overflow vulnerabilities on 32-bit == systems == == CVE ID#: CVE-2022-42898 == == Versions: All versions of Samba prior to 4.15.next, 4.16.next, 4.17.next == == Summary: Samba's Kerberos libraries failed to guard against == integer overflows when parsing a PAC on a 32-bit == system, which allowed an attacker with a forged PAC to == corrupt the heap. =========================================================== =========== Description =========== The Kerberos libraries used by Samba provide a mechanism for authenticating a user or service by means of tickets that can contain Privilege Attribute Certificates (PACs). Both the Heimdal and MIT Kerberos libraries, when calculating how many bytes to allocate for a buffer that was to receive a parsed PAC, failed to handle the case in which the result overflowed. Because the user's control over this calculation is limited to an unsigned 32-bit value, such an outcome may be considered, if the calculation is performed in the ample integer range of a 64-bit system, a practical impossibility. On a 32-bit system the situation is more grave. An overflow in that case will result in a buffer on the heap that is too short. Into this undersized buffer are placed 16-byte chunks of entirely attacker- controlled data, which, although subject to consistency checks, are not verified until after being written to memory. The server will cease parsing once a check has failed, but by this time the heap may have already been corrupted and the stage set for a crash or remote code execution. To take advantage of this vulnerability, an attacker must cause an unsuspecting server to ingest and parse a specially forged PAC. By employing a Service for User to Proxy (S4U2Proxy) request, one need only posess the key of a server within the realm to be able to encrypt an arbitrary PAC into a ticket that the KDC will accept. Furthermore, a compromised RODC provides the means to forge malicious tickets which the KDC will accept and parse without question. ================== Patch Availability ================== Patches addressing these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.next, 4.16.next, and 4.17.next have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4) ========== Workaround ========== None. ======= Credits ======= Originally reported by Greg Hudson with the aid of oss-fuzz. Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================