Bug 1825731 (CVE-2020-10700)

Summary: CVE-2020-10700 samba: Use-after-free in Samba AD DC LDAP Server with ASQ
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, gdeschner, hvyas, iboukris, iboukris, jarrpa, jstephen, lmohanty, madam, puebele, rhs-smb, sbose, security-response-team, ssorce, vbellur, yozone
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.10.15, samba 4.11.8, samba 4.12.2 Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the way samba AD DC LDAP servers, handled 'Paged Results' control is combined with the 'ASQ' control. A malicious user in a samba AD could use this flaw to cause denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 10:23:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1828870    
Bug Blocks: 1825732    

Description Huzaifa S. Sidhpurwala 2020-04-20 04:15:34 UTC 
As per upstream advisory:


Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control.

Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client requests if more than 10 such requests are outstanding.

A rewrite of the module for more efficient memory handling in Samba 4.11 changed the module behaviour, and combined with the above to introduce the use-after-free.  The use-after-free occurs when the 'Paged Results' control is combined with the 'ASQ' control, another Active Directory LDAP feature.
Comment 1 Huzaifa S. Sidhpurwala 2020-04-20 04:15:38 UTC 
Acknowledgments:

Name: the Samba project
Upstream: Andrei Popa
Comment 4 Huzaifa S. Sidhpurwala 2020-04-20 04:23:14 UTC 
Mitigation:

As per upstream, the crash is hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ.  Malicious users without write access will need to find a suitable chain within the existing directory layout.
Comment 6 Hardik Vyas 2020-04-21 14:00:16 UTC 
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux as there is no support for samba as an Active Directory Domain Controller (AD DC). Similarly, the version of samba shipped with Red Hat Gluster Storage 3 is also not supported for use as an AD DC and, thus, is not affected by this vulnerability.
Comment 7 Huzaifa S. Sidhpurwala 2020-04-28 10:20:49 UTC 
External References:

https://www.samba.org/samba/security/CVE-2020-10700.html
Comment 8 Hardik Vyas 2020-04-28 13:46:58 UTC 
Creating tracker bug for fedora-all, upon request from Gunther.
Comment 9 Hardik Vyas 2020-04-28 13:47:21 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1828870]