TODO: $VERSION =========================================================== == Subject: Out-Of-Bounds read in winbind AUTH_CRAP == == CVE ID#: CVE-2022-2127 == == Versions: All versions up to $VERSION == == Summary: When winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in winbind and possibly crash it. =========================================================== =========== Description =========== When doing NTLM authentication, the client sends replies to cryptographic challenges back to the server. These replies have variable length. Winbind did not properly bounds-check the lan manager response length, which despite the lan manager version no longer being used is still part of the protocol. To exploit this vulnarebility the user must have either access to the privileged winbindd UNIX domain socket (which means being root already) or, if the system is running Samba ntlm_auth as authentication backend for services like Squid or FreeRADIUS, the vulnarebility is remotely exploitable. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== Systems without ntlm_auth configured: CVSS3.1:AV:L/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.4) With ntlm_auth configured: CVSS3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H (5.9) ========== Workaround ========== If winbind is required, none. ======= Credits ======= Found through a coverity finding, fixed by the Samba Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================