Bug 1825731 (CVE-2020-10700) - CVE-2020-10700 samba: Use-after-free in Samba AD DC LDAP Server with ASQ
Summary: CVE-2020-10700 samba: Use-after-free in Samba AD DC LDAP Server with ASQ
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-10700
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1828870
Blocks: 1825732
TreeView+ depends on / blocked
 
Reported: 2020-04-20 04:15 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-06-04 03:54 UTC (History)
18 users (show)

Fixed In Version: samba 4.10.15, samba 4.11.8, samba 4.12.2
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in the way samba AD DC LDAP servers, handled 'Paged Results' control is combined with the 'ASQ' control. A malicious user in a samba AD could use this flaw to cause denial of service.
Clone Of:
Environment:
Last Closed: 2020-04-28 10:23:21 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-04-20 04:15:34 UTC
As per upstream advisory:


Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control.

Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client requests if more than 10 such requests are outstanding.

A rewrite of the module for more efficient memory handling in Samba 4.11 changed the module behaviour, and combined with the above to introduce the use-after-free.  The use-after-free occurs when the 'Paged Results' control is combined with the 'ASQ' control, another Active Directory LDAP feature.

Comment 1 Huzaifa S. Sidhpurwala 2020-04-20 04:15:38 UTC
Acknowledgments:

Name: the Samba project
Upstream: Andrei Popa

Comment 4 Huzaifa S. Sidhpurwala 2020-04-20 04:23:14 UTC
Mitigation:

As per upstream, the crash is hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ.  Malicious users without write access will need to find a suitable chain within the existing directory layout.

Comment 6 Hardik Vyas 2020-04-21 14:00:16 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux as there is no support for samba as an Active Directory Domain Controller (AD DC). Similarly, the version of samba shipped with Red Hat Gluster Storage 3 is also not supported for use as an AD DC and, thus, is not affected by this vulnerability.

Comment 7 Huzaifa S. Sidhpurwala 2020-04-28 10:20:49 UTC
External References:

https://www.samba.org/samba/security/CVE-2020-10700.html

Comment 8 Hardik Vyas 2020-04-28 13:46:58 UTC
Creating tracker bug for fedora-all, upon request from Gunther.

Comment 9 Hardik Vyas 2020-04-28 13:47:21 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1828870]


Note You need to log in before you can comment on or make changes to this bug.