===========================================================
== Subject:     Heap corruption via crafted DN strings
==
== CVE ID#:     CVE-2020-27840
==
== Versions:    All Samba versions since Samba 4.0.0
==
== Summary:     A crafted packet can cause anonymous remote
==              heap corruption on the Samba AD DC LDAP server.
==              This can trivially cause a denial of service;
==              worse consequences are possible.
===========================================================

===========
Description
===========

Due to an error in the function that parses the string representation
of DNs, certain DNs containing excessive whitespace will cause a zero
byte to be written outside of the allocated buffer. This is likely to
corrupt other data in memory and lead to a crash (or worse).

An LDAP bind request can send a string DN as a username. This DN is
parsed before the password is checked, so an attacker does not need
proper credentials.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

=========================
Workaround and mitigation
=========================

None.

=======
Credits
=======

Found and fixed by Douglas Bagnall of Catalyst and the Samba Team,
using Honggfuzz.

Advisory written by Douglas Bagnall.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================