Bug 1849489 (CVE-2020-10730)

Summary: CVE-2020-10730 samba: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, asn, gdeschner, hvyas, iboukris, iboukris, jhrozek, lslebodn, puebele, rhs-smb, security-response-team, sgallagh, ssorce, vbellur
Target Milestone: ---Keywords: Reopened, Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.10.17, samba 4.11.11, samba 4.12.4 Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference, or possible use-after-free flaw was found in the Samba AD LDAP server. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-07-23 07:27:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1849613, 1849615, 1849979, 1853255    
Bug Blocks: 1849490    

Description Huzaifa S. Sidhpurwala 2020-06-22 04:53:01 UTC 
As per upstream advisory:

Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control.

The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference.  It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10.
Comment 1 Huzaifa S. Sidhpurwala 2020-06-22 04:53:05 UTC 
Acknowledgments:

Name: the Samba project
Upstream: Andrew Bartlett
Comment 3 Hardik Vyas 2020-06-23 10:39:37 UTC 
Statement:

The version of samba shipped with Red Hat Gluster Storage 3 is built with a private copy of ldb which includes the vulnerable code. However, samba shipped with RHGS 3 is not supported for use as an AD DC and hence this issue has been rated as having a security impact of Low.
Comment 5 Huzaifa S. Sidhpurwala 2020-07-02 09:30:53 UTC 
External References:

https://www.samba.org/samba/security/CVE-2020-10730.html
Comment 6 Huzaifa S. Sidhpurwala 2020-07-02 09:32:07 UTC 
Created libldb tracking bugs for this issue:

Affects: fedora-all [bug 1853255]
Comment 7 Hardik Vyas 2020-07-02 11:31:19 UTC 
Upstream patch: https://github.com/samba-team/samba/commit/d8b9bb274b7e7a390cf3bda9cd732cb2227bdbde
Comment 8 errata-xmlrpc 2020-07-23 04:36:51 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2020:3119 https://access.redhat.com/errata/RHSA-2020:3119
Comment 9 errata-xmlrpc 2020-07-23 04:37:18 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2020:3118 https://access.redhat.com/errata/RHSA-2020:3118
Comment 10 Product Security DevOps Team 2020-07-23 07:27:36 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10730
Comment 11 errata-xmlrpc 2020-11-04 02:02:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4568 https://access.redhat.com/errata/RHSA-2020:4568