Bug 1154598 (CVE-2019-14847)

Summary: VUL-1: CVE-2019-14847: samba: dirsync / ranged_results crash
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: The 'Opening Windows to a Wider World' guys <samba-maintainers>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Minor    
Priority: P4 - Low CC: nopower, scabrero, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/245460/
Whiteboard: CVSSv3:SUSE:CVE-2019-14847:4.9:(AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 2 Marcus Meissner 2019-10-29 10:39:29 UTC
is public

https://www.samba.org/samba/security/CVE-2019-14847.html



CVE-2019-14847.html

===========================================================
== Subject:     User with "get changes" permission can
==              crash AD DC LDAP server via dirsync
==
== CVE ID#:     CVE-2019-14847
==
== Versions:    Samba 4.0.0 until Samba 4.10.9
==
== Summary:     Users with the "get changes" extended access
==              right can crash the AD DC LDAP server by
==              requesting an attribute using the range= syntax.
===========================================================

===========
Description
===========

Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync"
LDAP control specified in MS-ADTS "3.1.1.3.4.1.3
LDAP_SERVER_DIRSYNC_OID".

However, when combined with the ranged results feature specified in
MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL
pointer is can be de-referenced.

This is a Denial of Service only, no further escalation of privilege
is associated with this issue.

Samba 4.11 is not affected as the issue was fixed as a result of
Coverity static analysis, before the potential for denial of service
became apparent.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.9.15 and 4.10.10 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9)

==========================
Workaround and mitigation. 
==========================

By default, the supported versions of Samba impacted by this issue run
using the "standard" process model, which is unaffected.

This is controlled by the -M or --model parameter to the samba binary.

Unsupported Samba versions before Samba 4.7 use a single process for
the LDAP server, and so are impacted.

Samba 4.8, 4.9 and 4.10 are impacted if -M prefork or -M single is
used. To mitigate this issue, select -M standard (the default).

=======
Credits
=======

Originally reported by Adam Xu

Patches provided and advisory written by Douglas Bagnall and Andrew
Bartlett of the Samba team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 3 Swamp Workflow Management 2019-10-30 20:13:39 UTC
SUSE-SU-2019:2866-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.210.ab0549acb05-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 4 Swamp Workflow Management 2019-10-30 20:15:24 UTC
SUSE-SU-2019:2868-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.186.d75219614c3-4.30.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 5 Samuel Cabrero 2019-11-04 09:56:59 UTC
Reassign to security team for check and close.
Comment 6 Swamp Workflow Management 2019-11-05 20:17:55 UTC
openSUSE-SU-2019:2442-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1144902,1148539,1152143,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.210.ab0549acb05-lp151.2.9.1
Comment 7 Swamp Workflow Management 2019-11-09 17:14:11 UTC
openSUSE-SU-2019:2458-1: An update that solves three vulnerabilities and has four fixes is now available.

Category: security (important)
Bug References: 1125601,1127153,1130245,1134452,1144902,1154289,1154598
CVE References: CVE-2019-10218,CVE-2019-14833,CVE-2019-14847
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.11+git.186.d75219614c3-lp150.3.18.2
Comment 10 Marcus Meissner 2020-02-05 09:51:31 UTC
released

sle12 does not have the AD support enabled -> not affected
Comment 12 Swamp Workflow Management 2020-09-17 19:14:42 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.