Bugzilla – Bug 1173159
VUL-0: CVE-2020-10730: samba: NULL de-reference in AD DC LDAP server when ASQ and VLV combined
Last modified: 2020-09-17 19:15:35 UTC
is now public. https://www.samba.org/samba/security/CVE-2020-10730.html CVE-2020-10730.html =========================================================== == Subject: NULL pointer de-reference and use-after-free == in Samba AD DC LDAP Server with ASQ, VLV and == paged_results == == CVE ID#: CVE-2020-10730 == == Versions: Samba 4.5.0 and later == == Summary: A client combining the 'ASQ' and 'VLV' LDAP == controls can cause a NULL pointer de-reference and == further combinations with the LDAP paged_results == feature can give a use-after-free in Samba's AD DC == LDAP server. =========================================================== =========== Description =========== Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference. It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10. ================== Patch Availability ================== Patches addressing both of these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ========================= Workaround and mitigation ========================= None. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
SUSE-SU-2020:1913-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1171437,1172307,1173159,1173160,1173161,1173359 CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): samba-4.9.5+git.343.4bc358522a9-3.38.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): samba-4.9.5+git.343.4bc358522a9-3.38.1 SUSE Linux Enterprise High Availability 15-SP1 (src): samba-4.9.5+git.343.4bc358522a9-3.38.1 SUSE Enterprise Storage 6 (src): samba-4.9.5+git.343.4bc358522a9-3.38.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: SUSE Linux Enterprise Module for Python2 15-SP2 (src): samba-4.11.11+git.180.2cf3b203f07-4.5.1 SUSE Linux Enterprise Module for Basesystem 15-SP2 (src): ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1 SUSE Linux Enterprise High Availability 15-SP2 (src): samba-4.11.11+git.180.2cf3b203f07-4.5.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0984-1: An update that solves four vulnerabilities and has two fixes is now available. Category: security (important) Bug References: 1171437,1172307,1173159,1173160,1173161,1173359 CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: openSUSE Leap 15.1 (src): samba-4.9.5+git.343.4bc358522a9-lp151.2.27.1
openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 Sources used: openSUSE Leap 15.2 (src): ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1
SUSE-SU-2020:2067-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173159 CVE References: CVE-2020-10730 JIRA References: Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): ldb-1.4.6-3.5.2 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): ldb-1.4.6-3.5.2 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:1121-1: An update that fixes one vulnerability is now available. Category: security (moderate) Bug References: 1173159 CVE References: CVE-2020-10730 JIRA References: Sources used: openSUSE Leap 15.1 (src): ldb-1.4.6-lp151.2.3.1
released
openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available. Category: security (important) Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120 CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 JIRA References: Sources used: openSUSE Leap 15.2 (src): ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120 CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise Server 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.10.17+git.203.862547088ca-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.