Bug 1646377 (CVE-2018-16851) - CVE-2018-16851 samba: NULL pointer de-reference in Samba AD DC LDAP server
Summary: CVE-2018-16851 samba: NULL pointer de-reference in Samba AD DC LDAP server
Status: CLOSED NOTABUG
Alias: CVE-2018-16851
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20181120,repor...
Keywords: Security
Depends On: 1654091
Blocks: 1646387
TreeView+ depends on / blocked
 
Reported: 2018-11-05 13:36 UTC by Laura Pardo
Modified: 2018-11-29 14:40 UTC (History)
30 users (show)

(edit)
A null pointer dereference was found in the way LDAP search was implemented when Samba is used as Active Directory Domain Controller. A remote, authenticated attacker could use this flaw to cause a denial of service (application crash).
Clone Of:
(edit)
Last Closed: 2018-11-28 07:27:13 UTC


Attachments (Terms of Use)

Description Laura Pardo 2018-11-05 13:36:25 UTC
A flaw was found in Samba versions from 4.0.0. During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB.  When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer, terminating the process. This can lead to a denial of service attack.

Comment 2 Sam Fowler 2018-11-28 02:54:49 UTC
External Reference:

https://www.samba.org/samba/security/CVE-2018-16851.html

Comment 3 Sam Fowler 2018-11-28 02:55:00 UTC
Acknowledgments:

Name: Garming Sam (Samba Team and Catalyst)

Comment 4 Sam Fowler 2018-11-28 02:55:35 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1654091]

Comment 5 Huzaifa S. Sidhpurwala 2018-11-28 07:27:31 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.


Note You need to log in before you can comment on or make changes to this bug.