The Samba-Bugzilla – Attachment 15934 Details for
Bug 14331
CVE-2020-10700 [SECURITY] Use-after-free in AD DC LDAP server when ASQ and paged_results combined
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3 with fixed typos
CVE-2020-10700-ASQ-advisory-v3.txt (text/plain), 2.20 KB, created by
Karolin Seeger
on 2020-04-20 06:42:58 UTC
(
hide
)
Description:
Advisory v3 with fixed typos
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2020-04-20 06:42:58 UTC
Size:
2.20 KB
patch
obsolete
>=========================================================== >== Subject: Use-after-free in Samba AD DC LDAP Server with ASQ >== >== CVE ID#: CVE-2020-10700 >== >== Versions: Samba 4.10.0 and later >== >== Summary: A client combining the 'ASQ' and 'Paged Results' LDAP > controls can cause a use-after-free in Samba's AD DC > LDAP server >=========================================================== > >=========== >Description >=========== > >Samba has, since Samba 4.0, supported the Paged Results LDAP feature, >to allow clients to obtain pages of search results against a Samba AD >DC using an LDAP control. > >Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been >in place in this module, to age out old client requests if more than >10 such requests are outstanding. > >A rewrite of the module for more efficient memory handling in Samba >4.11 changed the module behaviour, and combined with the above to >introduce the use-after-free. The use-after-free occurs when the >'Paged Results' control is combined with the 'ASQ' control, another >Active Directory LDAP feature. > > >================== >Patch Availability >================== > >Patches addressing both of these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.10.15, 4.11.8 and 4.12.2 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3) > >================================ >Workaround or mitigating factors >================================ > >The crash is hard to trigger, and relies in particular on the chain of >child and grandchild links being queried with ASQ. Malicious users >without write access will need to find a suitable chain within the >existing directory layout. > >======= >Credits >======= > >Originally reported by Andrei Popa <andrei.popa@next-gen.ro>. > >Patches provided by Andrew Bartlett of Catalyst and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15934">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 14331
:
15882
|
15884
|
15885
|
15890
|
15891
|
15892
|
15921
|
15924
|
15925
|
15926
|
15927
|
15929
|
15930
|
15931
| 15934