=========================================================== == Subject: Out-Of-Bounds read in winbind AUTH_CRAP == == CVE ID#: CVE-2022-2127 == == Versions: All versions up to x.y == == Summary: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. =========================================================== =========== Description =========== When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9) ========== Workaround ========== If winbind is required, none. ======= Credits ======= Found through a coverity finding, fixed by the Samba Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================