The Samba-Bugzilla – Attachment 16029 Details for
Bug 14402
CVE-2020-10760 [SECURITY] Use-after-free in AD DC Global Catalog LDAP server with paged_result or VLV
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v2 with CVE number. Still needs release versions
CVE-2020-10760-GC-paged-v2.txt (text/plain), 2.71 KB, created by
Andrew Bartlett
on 2020-06-10 05:38:16 UTC
(
hide
)
Description:
Advisory v2 with CVE number. Still needs release versions
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-06-10 05:38:16 UTC
Size:
2.71 KB
patch
obsolete
>=========================================================== >== Subject: LDAP Use-after-free in Samba AD DC Global Catalog with >== paged_results and VLV >== >== CVE ID#: CVE-2020-10760 >== >== Versions: All versions of Samba since Samba 4.5.0 >== >== Summary: The use of the paged_results or VLV controls against >== the Global Catalog LDAP server on the AD DC will cause >== a use-after-free. >=========================================================== > >=========== >Description >=========== > >Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 >and later reimplemented the paged_results control using similar code. > >This code is more memory-efficient, storing only a pointer to the >object, not the returned object. However this means parts of the >original request must be retained > >When these controls are used by a client that connects to the Global >Catalog server, these modules failed to correctly retain the control >data along with the request, causing a use-after-free and an abort >when this is detected by the talloc library. > >NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single >process for the LDAP servers. > >All versions of Samba after Samba 4.11 use the 'prefork' process model >to create a shared connection pool. Crashing servers are restarted, >but serivce is disrupted. > > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.10.X, 4.11.X and 4.12.X have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) > >================================ >Workaround and mitigating factors >================================ > >By default, Samba 4.10 is run using the "standard" process model which >is one-process-per-client. (Later versions use 'prefork'). > >This is controlled by the -M or --model parameter to the samba binary. > >All Samba versions are impacted if -M prefork or -M single is used. To >mitigate this issue, select -M standard (however this will use more >memory, and may cause resource exhaustion). > >======= >Credits >======= > >Originally reported by Andrei Popa <andrei.popa@next-gen.ro> and >another anonymous reporter. > >Advisory written by Andrew Bartlett of Catalyst and the Samba Team. > >Patches provided by Andrew Bartlett of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16029">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gary
:
review+
Actions:
View
Attachments on
bug 14402
:
16021
|
16022
|
16023
|
16024
|
16025
|
16026
|
16027
|
16028
|
16029
|
16058
|
16066