Bugzilla – Bug 1204254
VUL-0: CVE-2022-3437: samba: Buffer overflow in Heimdal unwrap_des3()
Last modified: 2023-01-26 20:25:53 UTC
Created attachment 862136 [details] patchset =========================================================== == Subject: Buffer overflow in Heimdal unwrap_des3() == == CVE ID#: CVE-2022-3437 == == Versions: All versions of Samba since Samba 4.0 compiled == with Heimdal Kerberos == == Summary: There is a limited write heap buffer overflow == in the GSSAPI unwrap_des() and unwrap_des3() == routines of Heimdal (included in Samba). =========================================================== =========== Description =========== The DES (for Samba 4.11 and earlier) and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. Examples of where Samba can use GSSAPI include the client and fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and LDAP in the Active Directory Domain Controller. However not all Samba installations are impacted! Samba is often compiled to use the system MIT Kerberos using the --with-system-mitkrb5 argument and these installations are not impacted, as the vulnerable code is not compiled into Samba. However when, as is the default, Samba is compiled to use the internal Heimdal Kerberos library the vulnerable unwrap_des3() is used. (The single-DES use case, along with the equally vulnerable unwrap_des() is only compiled into Samba 4.11 and earlier). The primary use of Samba's internal Heimdal is for the Samba AD DC, but this vulnerability does impact fileserver deployments built with the default build options. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.11, 4.16.7 and 4.17.1 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9) ========== Workaround ========== Compiling Samba with --with-system-mitkrb5 will avoid this issue. ======= Credits ======= Originally reported by Evgeny Legerov of Intevydis. Patches provided by Joseph Sutton of Catalyst and the Samba Team, advisory written by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
does not affect SUSE as we do not build against heimdal
SUSE-SU-2022:4395-1: An update that solves 7 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1201689,1204254,1205126 CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-42898 JIRA References: Sources used: openSUSE Leap Micro 5.2 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 openSUSE Leap 15.3 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 SUSE Linux Enterprise Module for Python2 15-SP3 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 SUSE Linux Enterprise Module for Basesystem 15-SP3 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 SUSE Linux Enterprise High Availability 15-SP3 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 SUSE Enterprise Storage 7.1 (src): samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0081-1: An update that solves 8 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1204254,1205126,1206504 CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-38023,CVE-2022-42898 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): samba-4.15.13+git.482.1ac2c665c7-3.74.1 SUSE Linux Enterprise Server 12-SP5 (src): samba-4.15.13+git.482.1ac2c665c7-3.74.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.15.13+git.482.1ac2c665c7-3.74.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:0160-1: An update that solves 11 vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1201689,1204254,1205126,1205385,1205386,1206504,1206546 CVE References: CVE-2021-20251,CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-37966,CVE-2022-37967,CVE-2022-38023,CVE-2022-42898 JIRA References: Sources used: openSUSE Leap Micro 5.3 (src): samba-4.15.13+git.591.ab36624310c-150400.3.19.1 openSUSE Leap 15.4 (src): samba-4.15.13+git.591.ab36624310c-150400.3.19.1 SUSE Linux Enterprise Module for Basesystem 15-SP4 (src): samba-4.15.13+git.591.ab36624310c-150400.3.19.1 SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.591.ab36624310c-150400.3.19.1 SUSE Linux Enterprise High Availability 15-SP4 (src): samba-4.15.13+git.591.ab36624310c-150400.3.19.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.