The Samba-Bugzilla – Attachment 15545 Details for
Bug 14040
[SECURITY] CVE-2019-14847 dirsync / ranged_results crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE text with 4.11 and -M single (v3)
CVE-2019-14847-dirsync-advisory-03.txt (text/plain), 2.39 KB, created by
Douglas Bagnall
on 2019-10-15 21:46:27 UTC
(
hide
)
Description:
CVE text with 4.11 and -M single (v3)
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2019-10-15 21:46:27 UTC
Size:
2.39 KB
patch
obsolete
>=========================================================== >== Subject: User with "get changes" permission can >== crash AD DC LDAP server via dirsync >== >== CVE ID#: CVE-2019-14847 >== >== Versions: Samba 4.0.0 until Samba 4.10.0 >== >== Summary: Users with the "get changes" extended access >== right can crash the AD DC LDAP server by >== requesting an attribute using the range= syntax. >=========================================================== > >=========== >Description >=========== > >Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync" >LDAP control specified in MS-ADTS "3.1.1.3.4.1.3 >LDAP_SERVER_DIRSYNC_OID". > >However, when combined with the ranged results feature specified in >MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL >pointer is can be de-referenced. > >This is a Denial of Service only, no further escalation of privilege >is associated with this issue. > >Samba 4.11 is not affected as the issue was fixed as a result of >Coverity static analysis, before the potential for denial of service >became apparent. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.9.15 and 4.10.10 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9) > >========================== >Workaround and mitigation. >========================== > >By default, the supported versions of Samba impacted by this issue run >using the "standard" process model, which is unaffected. > >This is controlled by the -M or --model parameter to the samba binary. > >Unsupported Samba versions before Samba 4.7 use a single process for >the LDAP server, and so are impacted. > >Samba 4.8, 4.9 and 4.10 are impacted if -M prefork or -M single is >used. To mitigate this issue, select -M standard (the default). > >======= >Credits >======= > >Originally reported by Adam Xu > >Patches provided and advisory written by Douglas Bagnall and Andrew >Bartlett of the Samba team and Catalyst. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15545">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 14040
:
15394
|
15539
|
15540
|
15541
|
15543
|
15544
| 15545