Bug 1642545 (CVE-2018-16841) - CVE-2018-16841 samba: Double-free in Samba AD DC KDC with PKINIT
Summary: CVE-2018-16841 samba: Double-free in Samba AD DC KDC with PKINIT
Status: CLOSED NOTABUG
Alias: CVE-2018-16841
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
(Show other bugs)
Version: unspecified
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181128,repor...
Keywords: Security
Depends On: 1654082
Blocks: 1642548
TreeView+ depends on / blocked
 
Reported: 2018-10-24 16:04 UTC by Laura Pardo
Modified: 2018-11-29 14:41 UTC (History)
30 users (show)

Fixed In Version: samba 4.7.12, samba 4.8.7, samba 4.9.3
Doc Type: If docs needed, set a value
Doc Text:
A double-free was found when Samba's KDC is used as an Active Directory Domain Controller. An authenticated attacker could use this flaw to cause a denial of service (application crash).
Story Points: ---
Clone Of:
Environment:
Last Closed: 2018-11-28 07:16:35 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Laura Pardo 2018-10-24 16:04:11 UTC
A flaw was found in Samba from 4.3.0 versions. When configured to accept smart-card authentication, Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. This could result in a Denial of Service attack.

Comment 1 Sam Fowler 2018-11-28 01:55:07 UTC
External Reference:

https://www.samba.org/samba/security/CVE-2018-16841.html

Comment 2 Sam Fowler 2018-11-28 01:55:42 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1654082]

Comment 3 Sam Fowler 2018-11-28 01:56:47 UTC
Acknowledgments:

Name: The Samba Team
Upstream: Alex MacCuish

Comment 4 Huzaifa S. Sidhpurwala 2018-11-28 07:16:52 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.


Note You need to log in before you can comment on or make changes to this bug.