=========================================================== == Subject: Out of bounds read in AD DC LDAP server == == CVE ID#: CVE-2021-20277 == == Versions: All versions of Samba since Samba 4.0 == == Summary: User-controlled LDAP filter strings against == the AD DC LDAP server may crash the LDAP server. =========================================================== =========== Description =========== A string in an LDAP attribute that contains multiple consecutive leading spaces can lead to a memmove() of out of bounds memory in ldb_handler_fold(). ldb_handler_fold() is used by case insensitive strings - that is most string attributes - in Active Directory. As the search expression is normalised prior to matching any potential objects this in turn may crash the LDAP server process handling the request. It may be possible to leak the out of bounds memory by matching against it, but this is thought to be unlikely. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.14.1, 4.13.6 and 4.12.13 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H (7.1) ========== Workaround ========== To disable the LDAP server set 'server services = -ldap' in the smb.conf and restart Samba. This will substantially reduce the utility of the AD DC. ======= Credits ======= Found with the help of Honggfuzz. Originally reported by Douglas Bagnall of Catalyst and the Samba Team. Patches provided by and advisory written by Douglas Bagnall and Andrew Bartlett of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================