Bug 1095056 - (CVE-2018-1140) VUL-0: CVE-2018-1140: samba: ldbsearch '(distinguishedName=abc)' crashes
(CVE-2018-1140)
VUL-0: CVE-2018-1140: samba: ldbsearch '(distinguishedName=abc)' crashes
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: James McDonough
Security Team bot
https://smash.suse.de/issue/206645/
CVSSv3:SUSE:CVE-2018-1140:7.5:(AV:N/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-05-29 14:34 UTC by Marcus Meissner
Modified: 2018-12-03 15:43 UTC (History)
7 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 9 Marcus Meissner 2018-08-14 09:03:09 UTC
is public

https://www.samba.org/samba/security/CVE-2018-1140.html


CVE-2018-1140.html

====================================================================
== Subject:     Denial of Service Attack on DNS and LDAP server
==
== CVE ID#:     CVE-2018-1140
==
== Versions:    All versions of Samba from 4.8.0 onwards.
==
== Summary:     Missing null pointer checks may crash the Samba AD
==		DC, both over DNS and LDAP
==
====================================================================

===========
Description
===========

All versions of Samba from 4.8.0 onwards are vulnerable to a denial of
service attack when Samba is an Active Directory Domain Controller.

Missing input sanitization checks on some of the input parameters to
LDB database layer cause the LDAP server and DNS server to crash when
following a NULL pointer.

There is no further vulnerability associated with this error, merely a
denial of service.  

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.8.4, LDB 1.4.1 and 1.3.5 have been issued as a
security release to correct the defect.  Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

No workaround is possible while acting as a Samba AD DC.

Disabling the 'dns' and 'ldap' services in the smb.conf (eg 'server
services = -dns -ldap) would remove essential elements in the AD DC.

The use of BIND9_DLZ (loading a DLZ .so for LDB database access into
the BIND 9 DNS server) is subject to the same issue.

=======
Credits
=======

The initial bugs were found by the Laurent Debomy (DNS) and Andrej
Gessel (LDB).  Kai Blin of the Samba Team, Garming Sam, Douglas
Bagnall and Andrew Bartlett of Catalyst and the Samba Team did the
investigation and provided the final fix.
Comment 10 Swamp Workflow Management 2018-08-14 13:08:11 UTC
SUSE-SU-2018:2318-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
Comment 11 Swamp Workflow Management 2018-08-17 10:12:53 UTC
openSUSE-SU-2018:2400-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.8+git.86.94b6d10f7dd-lp150.3.6.1
Comment 12 James McDonough 2018-10-01 10:02:53 UTC
shipped