Buffer overflow in Heimdal unwrap_des3()

Description

The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.

Examples of where Samba can use GSSAPI include the client and
fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and
LDAP in the Active Directory Domain Controller.

However not all Samba installations are impacted! Samba is often
compiled to use the system MIT Kerberos using the
–with-system-mitkrb5 argument and these installations are not
impacted, as the vulnerable code is not compiled into Samba.

However when, as is the default, Samba is compiled to use the internal
Heimdal Kerberos library the vulnerable unwrap_des3() is used.

(The single-DES use case, along with the equally vulnerable
unwrap_des() is only compiled into Samba 4.11 and earlier).

The primary use of Samba’s internal Heimdal is for the Samba AD DC,
but this vulnerability does impact fileserver deployments built with
the default build options.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)

Workaround

Compiling Samba with --with-system-mitkrb5 will avoid this issue.

Credits

Originally reported by Evgeny Legerov of Intevydis.

Patches provided by Joseph Sutton of Catalyst and the Samba Team,
advisory written by Andrew Bartlett of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team