Bug 1116320 (CVE-2018-16841) - VUL-0: CVE-2018-16841: samba: KDC Crash with PKINIT
Summary: VUL-0: CVE-2018-16841: samba: KDC Crash with PKINIT
Status: RESOLVED FIXED
Alias: CVE-2018-16841
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/219359/
Whiteboard: CVSSv3:SUSE:CVE-2018-16841:6.5:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-16 10:52 UTC by Marcus Meissner
Modified: 2019-11-30 15:38 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2018-11-27 10:12:39 UTC
is public


CVE-2018-16841.html

===========================================================
== Subject:  Double-free in Samba AD DC KDC with PKINIT
==
== CVE ID#:  CVE-2018-16841    
==
== Versions: All versions of Samba from 4.3.0 onwards.
==
== Summary:  A user with a valid certificate or smart card
             can crash the Samba AD DC's KDC.
===========================================================

===========
Description
===========

When configured to accept smart-card authentication, Samba's KDC will
call talloc_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.

This is only possible after authentication with a trusted certificate.

talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.

There is no further vulnerability associated with this issue, merely a
denial of service.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.7.12, 4.8.7 and 4.9.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

Remove 'enable-pkinit = true' from the krb5.conf to disable smart-card
login.

=======
Credits
=======

Originally reported by Alex MacCuish

Patches provided by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 3 Swamp Workflow Management 2018-12-10 20:10:21 UTC
SUSE-SU-2018:4066-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1068059,1087303,1087931,1101499,1102230,1116319,1116320,1116322,1116324
CVE References: CVE-2018-14629,CVE-2018-16841,CVE-2018-16851,CVE-2018-16853
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
Comment 6 Marcus Meissner 2019-01-14 14:12:31 UTC
done