Bug 1173161 - (CVE-2020-10760) VUL-0: CVE-2020-10760: samba: Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV
(CVE-2020-10760)
VUL-0: CVE-2020-10760: samba: Use-after-free in AD DC Global Catalog LDAP ser...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/261853/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-06-19 12:33 UTC by Marcus Meissner
Modified: 2021-08-09 15:21 UTC (History)
1 user (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2020-07-02 09:27:06 UTC
is now public

https://www.samba.org/samba/security/CVE-2020-10760.html


CVE-2020-10760.html

===========================================================
== Subject:     LDAP Use-after-free in Samba AD DC Global Catalog with
==              paged_results and VLV
==
== CVE ID#:     CVE-2020-10760
==
== Versions:    All versions of Samba since Samba 4.5.0
==
== Summary:     The use of the paged_results or VLV controls against
==              the Global Catalog LDAP server on the AD DC will cause
==              a use-after-free.
===========================================================

===========
Description
===========

Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10
and later reimplemented the paged_results control using similar code.

This code is more memory-efficient, storing only a pointer to the
object, not the returned object.  However this means parts of the
original request must be retained

When these controls are used by a client that connects to the Global
Catalog server, these modules failed to correctly retain the control
data along with the request, causing a use-after-free and an abort
when this is detected by the talloc library.

NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single
process for the LDAP servers.

All versions of Samba after Samba 4.11 use the 'prefork' process model
to create a shared connection pool.  Crashing servers are restarted,
but service is disrupted.


==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

================================
Workaround and mitigating factors
================================

By default, Samba 4.10 is run using the "standard" process model which
is one-process-per-client.  (Later versions use 'prefork').

This is controlled by the -M or --model parameter to the samba binary.

All Samba versions are impacted if -M prefork or -M single is used. To
mitigate this issue, select -M standard (however this will use more
memory, and may cause resource exhaustion).

=======
Credits
=======

Originally reported by Andrei Popa <andrei.popa@next-gen.ro> and
another anonymous reporter.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 4 Swamp Workflow Management 2020-07-14 19:19:16 UTC
SUSE-SU-2020:1913-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2020-07-17 16:14:33 UTC
SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-07-18 04:14:10 UTC
openSUSE-SU-2020:0984-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.343.4bc358522a9-lp151.2.27.1
Comment 8 Swamp Workflow Management 2020-07-21 05:15:32 UTC
openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1
Comment 9 Swamp Workflow Management 2020-09-01 16:23:27 UTC
openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1
Comment 10 Marcus Meissner 2021-08-09 15:21:41 UTC
released