8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.9%
The Kerberos libraries used by Samba provide a mechanism for
authenticating a user or service by means of tickets that can contain
Privilege Attribute Certificates (PACs).
Both the Heimdal and MIT Kerberos libraries, and so the embedded
Heimdal shipped by Samba suffer from an integer multiplication
overflow when calculating how many bytes to allocate for a buffer for
the parsed PAC.
On a 32-bit system an overflow allows placement of 16-byte chunks of
entirely attacker- controlled data.
(Because the user’s control over this calculation is limited to an
unsigned 32-bit value, 64-bit systems are not impacted).
The server most vulnerable is the KDC, as it will parse an
attacker-controlled PAC in the S4U2Proxy handler.
The secondary risk is to Kerberos-enabled file server installations in
a non-AD realm. A non-AD Heimdal KDC controlling such a realm may
pass on an attacker-controlled PAC within the service ticket.
Patches addressing these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.12, 4.16.7, and 4.17.3 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:L (6.4)
Originally reported by Greg Hudson with the aid of oss-fuzz.
Patches provided by Nicolas Williams of Heimdal and Joseph Sutton of
Catlyst and the Samba team.
Advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the
Samba Team based on text and analysis by Greg Hudson.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
8.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
6.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
75.9%