The Samba-Bugzilla – Attachment 15884 Details for
Bug 14331
CVE-2020-10700 [SECURITY] Use-after-free in AD DC LDAP server when ASQ and paged_results combined
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
First draft ASQ Advisory
ASQ-security-advisory.txt (text/plain), 2.14 KB, created by
Andrew Bartlett
on 2020-03-31 22:52:34 UTC
(
hide
)
Description:
First draft ASQ Advisory
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-03-31 22:52:34 UTC
Size:
2.14 KB
patch
obsolete
>=========================================================== >== Subject: Use-after-free in Samba AD DC LDAP Server with ASQ >== >== CVE ID#: >== >== Versions: Samba 4.10.0 and later >== >== Summary: A client combining the 'ASQ' and 'Paged Results' LDAP > controls can cause a use-after-free in Samba's AD DC > LDAP server >=========================================================== > >=========== >Description >=========== > >Samba has, since Samba 4.0, supported the Paged Results LDAP feature, >to allow clients to obtain pages of search results against a Samba AD >DC using an LDAP control. > >Since Samba 4.7.11 and 4.8.6 a Denial of Serivce prevention has been >in place in this module, to age out old client requests if more than >10 such requests are outstanding. > >A rewrite of the module for more efficint memory handling in Samba >4.11 changed the module behaviour, and combined with the above to >introduce the use-after-free. The use-after-free occours when the >'Paged Results' control is combined with the 'ASQ' control, another >Active Directory LDAP feature. > > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3) > >========================= >Workaround or mitigations >========================= > >The crash is hard to trigger, and relies in particular on the chain of >child and grandchild links being queried with ASQ. Users without >write access would have to find a suitable chain within the existing >directory layout. > >======= >Credits >======= > >Originally reported by Andrei Popa <andrei.popa@next-gen.ro>. > >Patches provided by Andrew Bartlett of Catalyst and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15884">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14331
:
15882
|
15884
|
15885
|
15890
|
15891
|
15892
|
15921
|
15924
|
15925
|
15926
|
15927
|
15929
|
15930
|
15931
|
15934