Vulnerability CVE-2022-2127: Information

Description

An out-of-bounds read vulnerability was found in Samba due to insufficient length checks in winbindd_pam_auth_crap.c. When performing NTLM authentication, the client replies to cryptographic challenges back to the server. These replies have variable lengths, and Winbind fails to check the lan manager response length. When Winbind is used for NTLM authentication, a maliciously crafted request can trigger an out-of-bounds read in Winbind, possibly resulting in a crash.

Severity: MEDIUM (5.9) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2022-2127
Published: July 20, 2023
Modified: April 22, 2024
Error type identifier: CWE-125

Fixed packages

Package name
Branch
Fixed in version
Version from repository
Errata ID
Task #
State
sambasisyphus4.17.10-alt14.20.1-alt2ALT-PU-2023-4523-1324834Fixed
sambasisyphus_e2k4.17.10-alt14.20.1-alt1ALT-PU-2023-4546-1-Fixed
sambasisyphus_riscv644.17.10-alt14.20.1-alt2ALT-PU-2023-4563-1-Fixed
sambap104.16.11-alt24.19.6-alt2ALT-PU-2023-4520-2325414Fixed
sambap10_e2k4.16.11-alt24.19.6-alt2ALT-PU-2023-4651-1-Fixed
sambac10f14.16.11-alt24.16.11-alt2ALT-PU-2023-4522-2325413Fixed
sambac9f24.16.11-alt0.c9.14.14.14-alt0.c9.1ALT-PU-2024-8329-1334763In work
sambap114.17.10-alt14.20.1-alt1ALT-PU-2023-4523-1324834Fixed

References to Advisories, Solutions, and Tools

Hyperlink
Resource
https://www.samba.org/samba/security/CVE-2022-2127.html
  • Mitigation
  • Vendor Advisory
https://access.redhat.com/security/cve/CVE-2022-2127
  • Third Party Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2222791
  • Issue Tracking
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/BPCSGND7LO467AJGR5DYBGZLTCGTOBCC/
  • Mailing List
  • Third Party Advisory
https://security.netapp.com/advisory/ntap-20230731-0010/
  • Third Party Advisory
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/OT74M42E6C36W7PQVY3OS4ZM7DVYB64Z/
  • Mailing List
https://www.debian.org/security/2023/dsa-5477
  • Third Party Advisory
RHSA-2023:6667
  • Third Party Advisory
RHSA-2023:7139
  • Third Party Advisory
RHSA-2024:0423
    RHSA-2024:0580
      https://lists.debian.org/debian-lts-announce/2024/04/msg00015.html

          1. Configuration 1

            cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
            Start including
            4.16.0
            End excliding
            4.16.10
            cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
            Start including
            4.17.0
            End excliding
            4.17.9
            cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*
            Start including
            4.18.0
            End excliding
            4.18.4

            Configuration 2

            cpe:2.3:o:redhat:enterprise_linux:7.0:*:*:*:*:*:*:*
            cpe:2.3:o:redhat:enterprise_linux:6.0:*:*:*:*:*:*:*
            cpe:2.3:o:redhat:enterprise_linux:8.0:*:*:*:*:*:*:*
            cpe:2.3:o:redhat:enterprise_linux:9.0:*:*:*:*:*:*:*

            Configuration 3

            cpe:2.3:o:fedoraproject:fedora:37:*:*:*:*:*:*:*
            cpe:2.3:o:fedoraproject:fedora:38:*:*:*:*:*:*:*

            Configuration 4

            cpe:2.3:o:debian:debian_linux:12.0:*:*:*:*:*:*:*
        VKontakte|Telegram|YouTube|Forum|GitHub|Bugzilla
        Version: v24.5.3
        Back to top