=========================================================== == Subject: NULL pointer de-reference and use-after-free == in Samba AD DC LDAP Server with ASQ, VLV and == paged_results == == CVE ID#: CVE-2020-10730 == == Versions: Samba 4.5.0 and later == == Summary: A client combining the 'ASQ' and 'VLV' LDAP == controls can cause a NULL pointer de-reference and == futher combinations with the LDAP paged_results == feature can give a use-after-free in Samba's AD DC == LDAP server. =========================================================== =========== Description =========== Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference. It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10. ================== Patch Availability ================== Patches addressing both of these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.10 and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ========================= Workaround and mitigation ========================= None. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and the Samba Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================