Samba Patches

Samba released patches this week for an integer overflow vulnerability that could lead to arbitrary code execution.

What is samba?

Samba is a free and open-source Server Message Block (SMB) implementation for Linux and Unix that can serve as a Domain Controller for Microsoft's Active Directory (AD DC).

Vulnerability Tracked as CVE-2022-42898

The newly addressed security flaw, tracked as CVE-2022-42898 and affecting multiple Samba releases, exists in the Service for User to Proxy (S4U2proxy) handler, which provides "a service that obtains a service ticket to another service on behalf of a user."

Vulnerability Info

This functionality, also known as "constrained delegation," is based on messages sent and received by the Kerberos ticket-granting service (TGS).

In Samba, the Heimdal and MIT Kerberos libraries ensure Kerberos support and implement the Key Distribution Center (KDC).

The affected libraries offer an authentication mechanism via tickets that can include Privilege Attribute Certificates (PACs).

Sending a specially crafted request to the KDC server can trigger the bug.

64-bit systems are not at risk.

On 32-bit systems, an authenticated attacker can overflow the buffer with 16-byte chunks of attacker-controlled data due to this vulnerability.

Exploiting this bug successfully could result in a denial-of-service (DoS) condition or even remote code execution (RCE). 64-bit systems are not at risk.

"When parsing a PAC on a 32-bit system, Samba's Kerberos libraries and AD DC failed to guard against integer overflows, allowing an attacker with a forged PAC to corrupt the heap," Samba explains.

The Samba team believes that KDC is the most vulnerable server because it parses the attacker-controlled PAC in the S4U2Proxy handler.

"Another risk is to Kerberos-enabled file server installations in non-AD realms."

According to the Samba team, "a non-AD Heimdal KDC controlling such a realm may pass on an attacker-controlled PAC within the service ticket."

Patched Versions

Patches for this security flaw have been released for Samba

  • 4.15.12
  • 4.16.7
  • 4.17.3.

This bug is also addressed in

  • Heimdal 7.7.1.

The US Cybersecurity and Infrastructure Security Agency (CISA) has advised users and administrators to review Samba's advisory and, if necessary, take action.

According to CISA and others, exploiting the vulnerability could result in a complete system takeover.