Samba - Security Announcement Archive

CVE-2022-32742.html:

====================================================================
== Subject:     Server memory information leak via SMB1.
==
== CVE ID#:     CVE-2022-32742
==
== Versions:    All versions of Samba.
==
== Summary:     SMB1 Client with write access to a share can cause
==              server memory contents to be written into a file
==              or printer.
==
====================================================================

===========
Description
===========

Please note that only versions of Samba prior to 4.11.0 are vulnerable
to this bug by default. Samba versions 4.11.0 and above disable SMB1
by default, and will only be vulnerable if the administrator has
deliberately enabled SMB1 in the smb.conf file.

All versions of Samba with SMB1 enabled are vulnerable to a server
memory information leak bug over SMB1 if a client can write data to a
share. Some SMB1 write requests were not correctly range checked to
ensure the client had sent enough data to fulfill the write, allowing
server memory contents to be written into the file (or printer)
instead of client supplied data. The client cannot control the area of
the server memory that is written to the file (or printer).

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.16.4, 4.15.9 and 4.14.14 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==================
CVSSv3.1 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3)

==========
Workaround
==========

This is an SMB1-only vulnerability. Since Samba release 4.11.0 SMB1
has been disabled by default. We do not recommend enabling SMB1 server
support. For Samba versions prior to 4.11.0 please disable SMB1 by
adding

server min protocol = SMB2_02

to the [global] section of your smb.conf and restarting smbd.

=======
Credits
=======

This problem was reported by Luca Moro working with Trend Micro Zero
Day Initiative. Jeremy Allison of Google and the Samba Team provided
the fix.