CVE-2022-2127

EUVD-2022-34413

20.07.2023, 15:15

An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
redhat	CNA	5.9 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 79%

Affected Products (NVD)

Vendor	Product	Version
samba	samba	4.16.0 ≤ 𝑥 < 4.16.10
samba	samba	4.17.0 ≤ 𝑥 < 4.17.9
samba	samba	4.18.0 ≤ 𝑥 < 4.18.4
redhat	enterprise_linux	6.0
redhat	enterprise_linux	7.0
redhat	enterprise_linux	8.0
redhat	enterprise_linux	9.0
debian	debian_linux	12.0

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

samba

bookworm	2:4.17.12+dfsg-0+deb12u1 fixed
bookworm (security)	2:4.17.12+dfsg-0+deb12u1 fixed
bullseye	2:4.13.13+dfsg-1~deb11u6 fixed
bullseye (security)	2:4.13.13+dfsg-1~deb11u6 fixed
sid	2:4.21.1+dfsg-2 fixed
trixie	2:4.21.1+dfsg-2 fixed

Ubuntu Releases

Ubuntu Product

Codename

samba

bionic	needs-triage
focal	Fixed 2:4.15.13+dfsg-0ubuntu0.20.04.3 released
jammy	Fixed 2:4.15.13+dfsg-0ubuntu1.2 released
kinetic	Fixed 2:4.16.8+dfsg-0ubuntu1.2 released
lunar	Fixed 2:4.17.7+dfsg-1ubuntu1.1 released
mantic	Fixed 2:4.18.5+dfsg-1ubuntu1 released
noble	Fixed 2:4.18.5+dfsg-1ubuntu1 released
trusty	needs-triage
xenial	needs-triage