Bug 1849489 (CVE-2020-10730) - CVE-2020-10730 samba: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
Summary: CVE-2020-10730 samba: NULL pointer de-reference and use-after-free in Samba ...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-10730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849615 1849613 1849979 1853255
Blocks: 1849490
TreeView+ depends on / blocked
 
Reported: 2020-06-22 04:53 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-07-23 07:27 UTC (History)
14 users (show)

Fixed In Version: samba 4.10.17, samba 4.11.11, samba 4.12.4
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference, or possible use-after-free flaw was found in the Samba AD LDAP server. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-07-23 07:27:36 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3118 None None None 2020-07-23 04:37:19 UTC
Red Hat Product Errata RHSA-2020:3119 None None None 2020-07-23 04:36:53 UTC
Samba Project 14364 None None None 2020-06-22 15:15:23 UTC

Description Huzaifa S. Sidhpurwala 2020-06-22 04:53:01 UTC
As per upstream advisory:

Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control.

The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference.  It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-22 04:53:05 UTC
Acknowledgments:

Name: the Samba project
Upstream: Andrew Bartlett

Comment 3 Hardik Vyas 2020-06-23 10:39:37 UTC
Statement:

The version of samba shipped with Red Hat Gluster Storage 3 is built with a private copy of ldb which includes the vulnerable code. However, samba shipped with RHGS 3 is not supported for use as an AD DC and hence this issue has been rated as having a security impact of Low.

Comment 5 Huzaifa S. Sidhpurwala 2020-07-02 09:30:53 UTC
External References:

https://www.samba.org/samba/security/CVE-2020-10730.html

Comment 6 Huzaifa S. Sidhpurwala 2020-07-02 09:32:07 UTC
Created libldb tracking bugs for this issue:

Affects: fedora-all [bug 1853255]

Comment 8 errata-xmlrpc 2020-07-23 04:36:51 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2020:3119 https://access.redhat.com/errata/RHSA-2020:3119

Comment 9 errata-xmlrpc 2020-07-23 04:37:18 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2020:3118 https://access.redhat.com/errata/RHSA-2020:3118

Comment 10 Product Security DevOps Team 2020-07-23 07:27:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-10730


Note You need to log in before you can comment on or make changes to this bug.