CVE-2022-2127

20.07.2023, 15:15

An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
CVE	ADP	---				---
CISA-ADP	ADP	---				---

Base Score

CVSS 3.x

EPSS Score

Percentile: 78%

Vendor	Product	Version
samba	samba	4.16.0 ≤ 𝑥 < 4.16.10
samba	samba	4.17.0 ≤ 𝑥 < 4.17.9
samba	samba	4.18.0 ≤ 𝑥 < 4.18.4
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
debian	debian_linux	12.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

samba

bullseye (security)	2:4.13.13+dfsg-1~deb11u6 fixed
bullseye	2:4.13.13+dfsg-1~deb11u6 fixed
bookworm	2:4.17.12+dfsg-0+deb12u1 fixed
bookworm (security)	2:4.17.12+dfsg-0+deb12u1 fixed
sid	2:4.21.1+dfsg-2 fixed
trixie	2:4.21.1+dfsg-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

samba

noble	Fixed 2:4.18.5+dfsg-1ubuntu1 released
mantic	Fixed 2:4.18.5+dfsg-1ubuntu1 released
lunar	Fixed 2:4.17.7+dfsg-1ubuntu1.1 released
kinetic	Fixed 2:4.16.8+dfsg-0ubuntu1.2 released
jammy	Fixed 2:4.15.13+dfsg-0ubuntu1.2 released
focal	Fixed 2:4.15.13+dfsg-0ubuntu0.20.04.3 released
bionic	needs-triage
xenial	needs-triage
trusty	needs-triage