1941400 – (CVE-2020-27840) CVE-2020-27840 samba: Heap corruption via crafted DN strings

Bug 1941400 (CVE-2020-27840) - CVE-2020-27840 samba: Heap corruption via crafted DN strings

Summary: CVE-2020-27840 samba: Heap corruption via crafted DN strings

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-27840
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1942496
Blocks:	1941401 1942874
TreeView+	depends on / blocked

Reported:	2021-03-22 05:02 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-03-26 14:43 UTC (History)
CC List:	16 users (show)
Fixed In Version:	samba 4.14.1, samba 4.13.6, samba 4.12.13
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in samba. Spaces used in a string around a domain name (DN), while supposed to be ignored, can cause invalid DN strings with spaces to instead write a zero-byte into out-of-bounds memory, resulting in a crash. The highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed:	2021-03-25 17:35:12 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2021-03-22 05:02:09 UTC

As per upstream:

A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to
be written into out-of-bounds memory.

An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker without real credentials can anonymously trigger this bug.

The location of zero byte is a negative offset relative to the location of a dynamically allocated heap buffer; the exact offset depends on the DN string. While it is possible for an attacker to cause non-fatal data corruption, usefully targeting this is likely to be difficult and the most likely outcome is a crash.

The affected parsing routine is widely used. LDAP bind is not the only way to trigger the bug remotely, though it appears to be the only unauthenticated method.

Comment 1 Huzaifa S. Sidhpurwala 2021-03-22 05:02:13 UTC

Acknowledgments:

Name: the Samba Project
Upstream: Douglas Bagnall (Catalyst and the Samba Team)

Comment 3 Guilherme de Almeida Suckevicz 2021-03-24 13:16:14 UTC

Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1942496]

Comment 4 Huzaifa S. Sidhpurwala 2021-03-24 13:51:50 UTC

External References:

https://www.samba.org/samba/security/CVE-2020-27840.html

Comment 6 Product Security DevOps Team 2021-03-25 17:35:12 UTC

This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-27840

Comment 7 Hardik Vyas 2021-03-26 14:09:49 UTC

Statement:

This flaw does not affect the version of Samba shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage 3 because there is no support for Samba as Active Directory Domain Controller.

Note You need to log in before you can comment on or make changes to this bug.