The Samba-Bugzilla – Attachment 16530 Details for
Bug 14595
CVE-2020-27840 [SECURITY] Unauthenticated remote heap corruption via bad DNs
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated Advisory v3 including version numbers
CVE-2020-27840-v3.txt (text/plain), 2.43 KB, created by
Karolin Seeger
on 2021-03-12 08:43:41 UTC
(
hide
)
Description:
Updated Advisory v3 including version numbers
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2021-03-12 08:43:41 UTC
Size:
2.43 KB
patch
obsolete
>=========================================================== >== Subject: Heap corruption via crafted DN strings >== >== CVE ID#: CVE-2020-27840 >== >== Versions: All Samba versions since Samba 4.0.0 >== >== Summary: An anonymous attacker can crash the Samba AD DC >== LDAP server by sending easily crafted DNs as >== part of a bind request. More serious heap corruption >== is likely also possible. >=========================================================== > >=========== >Description >=========== > >A DN may be represented in string form with arbitrary amounts of space >around the component values. These spaces are supposed to be ignored, >but invalid DNs strings with spaces may instead cause a zero byte to >be written into out-of-bounds memory. > >An LDAP bind request can send a string DN as an username. This DN is >necessarily parsed before the password is checked, so an attacker >without real credentials can anonymously trigger this bug. > >The location of zero byte is a negative offset relative to the >location of a dynamically allocated heap buffer; the exact offset >depends on the DN string. While it is possible for an attacker to >cause non-fatal data corruption, usefully targeting this is likely to >be difficult and the most likely outcome is a crash. > >The affected parsing routine is widely used. LDAP bind is not the only >way to trigger the bug remotely, though it appears to be the only >unauthenticated method. > >For technical details of the vulnerability, see the patch and >the bug at https://bugzilla.samba.org/show_bug.cgi?id=14595. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.14.1, 4.13.6 and 4.12.13 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) > >========================= >Workaround and mitigation >========================= > >None. > >======= >Credits >======= > >Found and fixed by Douglas Bagnall of Catalyst and the Samba Team, >using Honggfuzz. > >Advisory written by Douglas Bagnall. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16530">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
dbagnall
:
review-
abartlet
:
review+
Actions:
View
Attachments on
bug 14595
:
16365
|
16366
|
16383
|
16441
|
16442
|
16444
|
16445
|
16446
|
16447
|
16448
|
16449
|
16460
|
16461
|
16462
|
16463
|
16464
|
16530
|
16547