Bug 2108196 (CVE-2022-32742)

Summary: CVE-2022-32742 samba: server memory information leak via SMB1
Product: [Other] Security Response Reporter: Mauro Matteo Cascella <mcascell>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, iboukris, jarrpa, jstephen, kyoshida, lmohanty, madam, pfilipen, rhs-smb, sbose, security-response-team, ssorce, villapla, vroca
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.16.4, samba 4.15.9, samba 4.14.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Samba. Some SMB1 write requests were not correctly range-checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client-supplied data. The client cannot control the area of the server memory written to the file (or printer).
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-12-07 02:33:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2108331, 2108332, 2111729, 2111741, 2125552    
Bug Blocks: 2095310, 2095313    

Description Mauro Matteo Cascella 2022-07-18 15:01:38 UTC 
As per samba upstream advisory:

All versions of Samba with SMB1 enabled are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer).

Please note that only versions of Samba prior to 4.11.0 are vulnerable to this bug by default. Samba versions 4.11.0 and above disable SMB1 by default, and will only be vulnerable if the administrator has deliberately enabled SMB1 in the smb.conf file.
Comment 2 Sandipan Roy 2022-07-28 04:07:48 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2111729]
Comment 4 errata-xmlrpc 2022-10-19 13:55:55 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2022:7056 https://access.redhat.com/errata/RHSA-2022:7056
Comment 5 errata-xmlrpc 2022-10-25 08:46:12 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:7111 https://access.redhat.com/errata/RHSA-2022:7111
Comment 6 errata-xmlrpc 2022-11-15 10:56:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2022:8317 https://access.redhat.com/errata/RHSA-2022:8317
Comment 7 Product Security DevOps Team 2022-12-07 02:33:07 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2022-32742