=========================================================== == Subject: LDAP Use-after-free in Samba AD DC Global Catalog with == paged_results and VLV == == CVE ID#: CVE-2020-10760 == == Versions: All versions of Samba since Samba 4.5.0 == == Summary: The use of the paged_results or VLV controls against == the Global Catalog LDAP server on the AD DC will cause == a use-after-free. =========================================================== =========== Description =========== Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the paged_results control using similar code. This code is more memory-efficient, storing only a pointer to the object, not the returned object. However this means parts of the original request must be retained When these controls are used by a client that connects to the Global Catalog server, these modules failed to correctly retain the control data along with the request, causing a use-after-free and an abort when this is detected by the talloc library. NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single process for the LDAP servers. All versions of Samba after Samba 4.11 use the 'prefork' process model to create a shared connection pool. Crashing servers are restarted, but serivce is disrupted. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.X, 4.11.X and 4.12.X have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ================================ Workaround and mitigating factors ================================ By default, Samba 4.10 is run using the "standard" process model which is one-process-per-client. (Later versions use 'prefork'). This is controlled by the -M or --model parameter to the samba binary. All Samba versions are impacted if -M prefork or -M single is used. To mitigate this issue, select -M standard (however this will use more memory, and may cause resource exhaustion). ======= Credits ======= Originally reported by Andrei Popa and another anonymous reporter. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================