Bug 1825734 (CVE-2020-10704) - CVE-2020-10704 samba: LDAP Denial of Service (stack overflow) in Samba AD DC
Summary: CVE-2020-10704 samba: LDAP Denial of Service (stack overflow) in Samba AD DC
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-10704
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1828872
Blocks: 1825732
TreeView+ depends on / blocked
 
Reported: 2020-04-20 04:37 UTC by Huzaifa S. Sidhpurwala
Modified: 2023-09-07 22:52 UTC (History)
18 users (show)

Fixed In Version: samba 4.10.15, samba 4.11.8, samba 4.12.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found when using samba as an Active Directory Domain Controller. Due to the way samba handles certain requests as an Active Directory Domain Controller LDAP server, an unauthorized user can cause a stack overflow leading to a denial of service. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-04-28 10:22:59 UTC
Embargoed:

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-04-20 04:37:03 UTC 
As per upstream advisory:

LDAP is encoded as ASN.1, and LDAP filters are defined recursively as
   Filter ::= CHOICE {
                and             [0] SET OF Filter,
                or              [1] SET OF Filter,
                not             [2] Filter,
		
This recursion is mirrored in Samba's recursive decent parser, which consumes around 600 bytes of stack per filter sent by the client.

In Samba, LDAP packets are parsed pre-authentication.

As an example on Linux x86_64, a LDAP search expression of (|(|(x=y))) will consume over 1k of stack (600 bytes or so per OR).  Therefore, even a fairly small, un-authenticated LDAP packet can cause the server to fault with SIGSEGV as the stack reaches the OS-imposed limit (8MB in this case).

If the network architecture allows a CLDAP packet (to UDP port 389) of over 13,000 bytes (the maximum UDP packet size is 65,535) this would also fit enough ASN.1 to crash the CLDAP server.

Samba 4.11 and later use the 'prefork' process model by default for LDAP, and all versions use single process for CLDAP.

This shares one process between multiple network clients.  By crashing one worker, legitimate service is disrupted to other clients.  The process is restarted in all supported versions, but with a back-off.
Comment 1 Huzaifa S. Sidhpurwala 2020-04-20 04:37:07 UTC 
Acknowledgments:

Name: the Samba project
Comment 3 Huzaifa S. Sidhpurwala 2020-04-20 04:37:13 UTC 
Mitigation:

By default, Samba 4.10 is run using the "standard" process model, which would leave only the CLDAP server affected.  (Later versions use 'prefork').

This is controlled by the -M or --model parameter to the samba binary.

All Samba versions are impacted if -M prefork or -M single is used. To mitigate this issue for LDAP only, select -M standard (however this will use more memory, may allow resource exhaustion, and will still leave the CLDAP server exposed).
Comment 5 Eric Christensen 2020-04-20 17:53:47 UTC 
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux as there is no support for samba as an Active Directory Domain Controller (AD DC). Similarly, the version of samba shipped with Red Hat Gluster Storage 3 is also not supported for use as an AD DC and, thus, is not affected by this vulnerability.
Comment 6 Huzaifa S. Sidhpurwala 2020-04-28 10:21:42 UTC 
External References:

https://www.samba.org/samba/security/CVE-2020-10704.html
Comment 7 Hardik Vyas 2020-04-28 13:47:52 UTC 
Creating tracker bug for fedora-all, upon request from Gunther.
Comment 8 Hardik Vyas 2020-04-28 13:48:14 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1828872]
Note You need to log in before you can comment on or make changes to this bug.