=========================================================== == Subject: NULL pointer de-reference in Samba AD DC == LDAP Server with ASQ == == CVE ID#: CVE-2020-XXXX == == Versions: Samba 4.5.0 and later == == Summary: A client combining the 'ASQ' and 'VLV' LDAP controls can cause a use-after-free in Samba's AD DC LDAP server =========================================================== =========== Description =========== Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference. It may also be possible to trigger a use-after-free, as the code is very similar to that addressed by CVE-2020-10700. ================== Patch Availability ================== Patches addressing both of these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.X, 4.11.X and 4.12.X have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ========================= Workaround and mitigation ========================= None. The possible use-after-free is consdiered hard to trigger, and relies in particular on the chain of child and grandchild links being queried with ASQ. Malicious users without write access will need to find a suitable chain within the existing directory layout. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team Patches provided by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================