Bugzilla – Bug 1169850
VUL-0: CVE-2020-10700: samba: Use-after-free in AD DC LDAP server when ASQ and paged_results combined
Last modified: 2020-10-21 09:26:54 UTC
now public through https://www.samba.org/samba/security/CVE-2020-10700.html CVE-2020-10700.html =========================================================== == Subject: Use-after-free in Samba AD DC LDAP Server with ASQ == == CVE ID#: CVE-2020-10700 == == Versions: Samba 4.10.0 and later == == Summary: A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server =========================================================== =========== Description =========== Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control. Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client requests if more than 10 such requests are outstanding. A rewrite of the module for more efficient memory handling in Samba 4.11 changed the module behaviour, and combined with the above to introduce the use-after-free. The use-after-free occurs when the 'Paged Results' control is combined with the 'ASQ' control, another Active Directory LDAP feature. ================== Patch Availability ================== Patches addressing both of these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.15, 4.11.8 and 4.12.2 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3) ================================ Workaround or mitigating factors ================================ The crash is hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ. Malicious users without write access will need to find a suitable chain within the existing directory layout. ======= Credits ======= Originally reported by Andrei Popa . Patches provided by Andrew Bartlett of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Closing
SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: SUSE Linux Enterprise Module for Python2 15-SP2 (src): samba-4.11.11+git.180.2cf3b203f07-4.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1 SUSE Linux Enterprise High Availability 15-SP2 (src): samba-4.11.11+git.180.2cf3b203f07-4.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: openSUSE Leap 15.2 (src): ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1
openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 JIRA References: Sources used: openSUSE Leap 15.2 (src): ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120 CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise Server 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.10.17+git.203.862547088ca-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.