Bug 1173159 (CVE-2020-10730)

Summary: VUL-0: CVE-2020-10730: samba: NULL de-reference in AD DC LDAP server when ASQ and VLV combined
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Novell Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: atoptsoglou, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/261851/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 3 Marcus Meissner 2020-07-02 09:26:04 UTC
is now public.

https://www.samba.org/samba/security/CVE-2020-10730.html


CVE-2020-10730.html

===========================================================
== Subject:     NULL pointer de-reference and use-after-free
==              in Samba AD DC LDAP Server with ASQ, VLV and
==              paged_results
==
== CVE ID#:     CVE-2020-10730
==
== Versions:    Samba 4.5.0 and later
==
== Summary:     A client combining the 'ASQ' and 'VLV' LDAP
==              controls can cause a NULL pointer de-reference and
==		further combinations with the LDAP paged_results
==		feature can give a use-after-free in Samba's AD DC
==		LDAP server.
===========================================================

===========
Description
===========

Samba has, since Samba 4.5, supported the VLV Active Directory LDAP
feature, to allow clients to obtain 'virtual list views' of search
results against a Samba AD DC using an LDAP control.

The combination of this control, and the ASQ control combines to allow
an authenticated user to trigger a NULL-pointer de-reference.  It is
also possible to trigger a use-after-free, both as the code is very
similar to that addressed by CVE-2020-10700 and due to the way
errors are handled in the dsdb_paged_results module since Samba 4.10.


==================
Patch Availability
==================

Patches addressing both of these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

=========================
Workaround and mitigation
=========================

None.

=======
Credits
=======

Originally reported by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and
the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 5 Swamp Workflow Management 2020-07-14 19:19:04 UTC
SUSE-SU-2020:1913-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-07-17 16:14:21 UTC
SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-07-18 04:13:58 UTC
openSUSE-SU-2020:0984-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.343.4bc358522a9-lp151.2.27.1
Comment 9 Swamp Workflow Management 2020-07-21 05:15:19 UTC
openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1
Comment 10 Swamp Workflow Management 2020-07-29 13:18:12 UTC
SUSE-SU-2020:2067-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173159
CVE References: CVE-2020-10730
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    ldb-1.4.6-3.5.2
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    ldb-1.4.6-3.5.2

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-08-01 19:12:32 UTC
openSUSE-SU-2020:1121-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173159
CVE References: CVE-2020-10730
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    ldb-1.4.6-lp151.2.3.1
Comment 12 Marcus Meissner 2020-08-12 08:23:01 UTC
released
Comment 13 Swamp Workflow Management 2020-09-01 16:23:14 UTC
openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1
Comment 15 Swamp Workflow Management 2020-09-17 19:15:35 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.