=========================================================== == Subject: Use-after-free in Samba AD DC LDAP Server with ASQ == == CVE ID#: == == Versions: Samba 4.10.0 and later == == Summary: A client combining the 'ASQ' and 'Paged Results' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server =========================================================== =========== Description =========== Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control. Since Samba 4.7.11 and 4.8.6 a Denial of Serivce prevention has been in place in this module, to age out old client requests if more than 10 such requests are outstanding. A rewrite of the module for more efficint memory handling in Samba 4.11 changed the module behaviour, and combined with the above to introduce the use-after-free. The use-after-free occours when the 'Paged Results' control is combined with the 'ASQ' control, another Active Directory LDAP feature. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3) ========================= Workaround or mitigations ========================= The crash is hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ. Users without write access would have to find a suitable chain within the existing directory layout. ======= Credits ======= Originally reported by Andrei Popa . Patches provided by Andrew Bartlett of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================