Bug 1205126 - (CVE-2022-42898) VUL-0: CVE-2022-42898: krb5: samba: heimdal: Samba buffer overflow vulnerabilities on 32-bit systems
(CVE-2022-42898)
VUL-0: CVE-2022-42898: krb5: samba: heimdal: Samba buffer overflow vulnerabil...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/347268/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2022-11-07 08:45 UTC by Marcus Meissner
Modified: 2023-01-27 17:19 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2022-11-08 08:31:53 UTC
CRD: 2022-11-15
Comment 6 Marcus Meissner 2022-11-15 15:56:00 UTC
https://www.samba.org/samba/security/CVE-2022-42898.html


CVE-2022-42898.html:

===========================================================
== Subject:     Samba buffer overflow vulnerabilities on 32-bit
==              systems
==
== CVE ID#:     CVE-2022-42898
==
== Versions:    All versions of Samba prior to 4.15.12, 4.16.7, 4.17.3
==
== Summary:     Samba's Kerberos libraries and AD DC failed to guard
==              against integer overflows when parsing a PAC on a 32-bit
==              system, which allowed an attacker with a forged PAC to
==              corrupt the heap.
===========================================================

===========
Description
===========

The Kerberos libraries used by Samba provide a mechanism for
authenticating a user or service by means of tickets that can contain
Privilege Attribute Certificates (PACs).

Both the Heimdal and MIT Kerberos libraries, and so the embedded
Heimdal shipped by Samba suffer from an integer multiplication
overflow when calculating how many bytes to allocate for a buffer for
the parsed PAC.

On a 32-bit system an overflow allows placement of 16-byte chunks of
entirely attacker- controlled data.

(Because the user's control over this calculation is limited to an
unsigned 32-bit value, 64-bit systems are not impacted).

The server most vulnerable is the  KDC, as it will parse an
attacker-controlled PAC in the S4U2Proxy handler.

The secondary risk is to Kerberos-enabled file server installations in
a non-AD realm.  A non-AD Heimdal KDC controlling such a realm may
pass on an attacker-controlled PAC within the service ticket.

==================
Patch Availability
==================

Patches addressing these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.12, 4.16.7, and 4.17.3 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4)

==========================
Workaround and mitigations
==========================

* No workaround on 32-bit systems as an AD DC
* file servers are only impacted if in a non-AD domain
* 64-bit systems are not exploitable.

=======
Credits
=======

Originally reported by Greg Hudson with the aid of oss-fuzz.

Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of
Catlyst and the Samba team.

Advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the
Samba Team based on text and analysis by Greg Hudson.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 7 Swamp Workflow Management 2022-11-21 17:20:18 UTC
SUSE-SU-2022:4155-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205126
CVE References: CVE-2022-42898
JIRA References: 
Sources used:
SUSE Manager Server 4.1 (src):    krb5-1.16.3-150100.3.27.1
SUSE Manager Retail Branch Server 4.1 (src):    krb5-1.16.3-150100.3.27.1
SUSE Manager Proxy 4.1 (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server for SAP 15-SP2 (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server 15-SP2-LTSS (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server 15-SP2-BCL (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise High Performance Computing 15-SP2-LTSS (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise High Performance Computing 15-SP2-ESPOS (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    krb5-1.16.3-150100.3.27.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    krb5-1.16.3-150100.3.27.1
SUSE Enterprise Storage 7 (src):    krb5-1.16.3-150100.3.27.1
SUSE Enterprise Storage 6 (src):    krb5-1.16.3-150100.3.27.1
SUSE CaaS Platform 4.0 (src):    krb5-1.16.3-150100.3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2022-11-21 17:21:11 UTC
SUSE-SU-2022:4153-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205126
CVE References: CVE-2022-42898
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    krb5-1.19.2-150400.3.3.1
openSUSE Leap 15.4 (src):    krb5-1.19.2-150400.3.3.1
SUSE Linux Enterprise Module for Server Applications 15-SP4 (src):    krb5-1.19.2-150400.3.3.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    krb5-1.19.2-150400.3.3.1
SUSE Linux Enterprise Micro 5.3 (src):    krb5-1.19.2-150400.3.3.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 9 Swamp Workflow Management 2022-11-21 17:23:59 UTC
SUSE-SU-2022:4154-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1189929,1205126
CVE References: CVE-2021-37750,CVE-2022-42898
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    krb5-1.15.2-150000.6.17.1
SUSE Linux Enterprise Server 15-LTSS (src):    krb5-1.15.2-150000.6.17.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    krb5-1.15.2-150000.6.17.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    krb5-1.15.2-150000.6.17.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2022-11-22 14:22:51 UTC
SUSE-SU-2022:4167-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205126
CVE References: CVE-2022-42898
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    krb5-1.19.2-150300.7.7.1
openSUSE Leap 15.3 (src):    krb5-1.19.2-150300.7.7.1, krb5-mini-1.19.2-150300.7.7.1
SUSE Linux Enterprise Module for Server Applications 15-SP3 (src):    krb5-1.19.2-150300.7.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    krb5-1.19.2-150300.7.7.1
SUSE Linux Enterprise Micro 5.2 (src):    krb5-1.19.2-150300.7.7.1
SUSE Linux Enterprise Micro 5.1 (src):    krb5-1.19.2-150300.7.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Samuel Cabrero 2022-11-28 08:01:57 UTC
Reassigned to security team to close it.
Comment 13 Swamp Workflow Management 2022-12-06 20:20:25 UTC
SUSE-SU-2022:4335-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205126
CVE References: CVE-2022-42898
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    krb5-1.12.5-40.43.1
SUSE OpenStack Cloud 9 (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Server 12-SP5 (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    krb5-1.12.5-40.43.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    krb5-1.12.5-40.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 14 Swamp Workflow Management 2022-12-09 14:23:09 UTC
SUSE-SU-2022:4395-1: An update that solves 7 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1201689,1204254,1205126
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-42898
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
openSUSE Leap 15.3 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
SUSE Linux Enterprise Micro 5.2 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1
SUSE Enterprise Storage 7.1 (src):    samba-4.15.12+git.535.7750e5c95ef-150300.3.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Marcus Meissner 2022-12-19 12:36:39 UTC
done
Comment 21 Swamp Workflow Management 2023-01-12 14:22:54 UTC
SUSE-SU-2023:0081-1: An update that solves 8 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1204254,1205126,1206504
CVE References: CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-38023,CVE-2022-42898
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.15.13+git.482.1ac2c665c7-3.74.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.15.13+git.482.1ac2c665c7-3.74.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.15.13+git.482.1ac2c665c7-3.74.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2023-01-26 20:25:57 UTC
SUSE-SU-2023:0160-1: An update that solves 11 vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1200102,1201490,1201492,1201493,1201495,1201496,1201689,1204254,1205126,1205385,1205386,1206504,1206546
CVE References: CVE-2021-20251,CVE-2022-2031,CVE-2022-32742,CVE-2022-32744,CVE-2022-32745,CVE-2022-32746,CVE-2022-3437,CVE-2022-37966,CVE-2022-37967,CVE-2022-38023,CVE-2022-42898
JIRA References: 
Sources used:
openSUSE Leap Micro 5.3 (src):    samba-4.15.13+git.591.ab36624310c-150400.3.19.1
openSUSE Leap 15.4 (src):    samba-4.15.13+git.591.ab36624310c-150400.3.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP4 (src):    samba-4.15.13+git.591.ab36624310c-150400.3.19.1
SUSE Linux Enterprise Micro 5.3 (src):    samba-4.15.13+git.591.ab36624310c-150400.3.19.1
SUSE Linux Enterprise High Availability 15-SP4 (src):    samba-4.15.13+git.591.ab36624310c-150400.3.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2023-01-27 17:19:09 UTC
SUSE-SU-2023:0198-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1205126
CVE References: CVE-2022-42898
JIRA References: 
Sources used:
openSUSE Leap Micro 5.2 (src):    krb5-1.19.2-150300.10.1
SUSE Manager Server 4.2 (src):    krb5-1.19.2-150300.10.1
SUSE Manager Retail Branch Server 4.2 (src):    krb5-1.19.2-150300.10.1
SUSE Manager Proxy 4.2 (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise Server for SAP 15-SP3 (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise Server 15-SP3-LTSS (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise Realtime Extension 15-SP3 (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise Micro 5.2 (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise Micro 5.1 (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise High Performance Computing 15-SP3-LTSS (src):    krb5-1.19.2-150300.10.1
SUSE Linux Enterprise High Performance Computing 15-SP3-ESPOS (src):    krb5-1.19.2-150300.10.1
SUSE Enterprise Storage 7.1 (src):    krb5-1.19.2-150300.10.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.