CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
89.6%
The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.
Examples of where Samba can use GSSAPI include the client and
fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and
LDAP in the Active Directory Domain Controller.
However not all Samba installations are impacted! Samba is often
compiled to use the system MIT Kerberos using the
βwith-system-mitkrb5 argument and these installations are not
impacted, as the vulnerable code is not compiled into Samba.
However when, as is the default, Samba is compiled to use the internal
Heimdal Kerberos library the vulnerable unwrap_des3() is used.
(The single-DES use case, along with the equally vulnerable
unwrap_des() is only compiled into Samba 4.11 and earlier).
The primary use of Sambaβs internal Heimdal is for the Samba AD DC,
but this vulnerability does impact fileserver deployments built with
the default build options.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)
Compiling Samba with --with-system-mitkrb5 will avoid this issue.
Originally reported by Evgeny Legerov of Intevydis.
Patches provided by Joseph Sutton of Catalyst and the Samba Team,
advisory written by Andrew Bartlett of Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team