Heap-based Buffer Overflow Affecting samba package, versions <2:4.9.5+dfsg-5+deb10u5


Severity

Recommended
0.0
medium
0
10

Snyk's Security Team recommends NVD's CVSS assessment. Learn more

Threat Intelligence

EPSS
2.17% (90th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk IDSNYK-DEBIAN10-SAMBA-3061492
  • published25 Oct 2022
  • disclosed12 Jan 2023

Introduced: 25 Oct 2022

CVE-2022-3437  (opens in a new tab)
CWE-122  (opens in a new tab)

How to fix?

Upgrade Debian:10 samba to version 2:4.9.5+dfsg-5+deb10u5 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream samba package and not the samba package as distributed by Debian. See How to fix? for Debian:10 relevant fixed versions and status.

A heap-based buffer overflow vulnerability was found in Samba within the GSSAPI unwrap_des() and unwrap_des3() routines of Heimdal. The DES and Triple-DES decryption routines in the Heimdal GSSAPI library allow a length-limited write buffer overflow on malloc() allocated memory when presented with a maliciously small packet. This flaw allows a remote user to send specially crafted malicious data to the application, possibly resulting in a denial of service (DoS) attack.

CVSS Scores

version 3.1