=========================================================== == Subject: Heap corruption via crafted DN strings == == CVE ID#: CVE-2020-27840 == == Versions: All Samba versions since Samba 4.0.0 == == Summary: An anonymous attacker can crash the Samba AD DC == LDAP server by sending easily crafted DNs as == part of a bind request. More serious heap corruption == is likely also possible. =========================================================== =========== Description =========== A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to be written into out-of-bounds memory. An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker without real credentials can anonymously trigger this bug. The location of zero byte is a negative offset relative to the location of a dynamically allocated heap buffer; the exact offset depends on the DN string. While it is possible for an attacker to cause non-fatal data corruption, usefully targeting this is likely to be difficult and the most likely outcome is a crash. The affected parsing routine is widely used. LDAP bind is not the only way to trigger the bug remotely, though it appears to be the only unauthenticated method. For technical details of the vulnerability, see the patch and the bug at https://bugzilla.samba.org/show_bug.cgi?id=14595. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========================= Workaround and mitigation ========================= None. ======= Credits ======= Found and fixed by Douglas Bagnall of Catalyst and the Samba Team, using Honggfuzz. Advisory written by Douglas Bagnall. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================