The Samba-Bugzilla – Attachment 17381 Details for
Bug 15009
CVE-2022-32746 [SECURITY] Use-after-free occurring in database audit logging module
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory draft #1
advisory.txt (text/plain), 2.66 KB, created by
Jo Sutton
on 2022-06-21 07:48:32 UTC
(
hide
)
Description:
Advisory draft #1
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-06-21 07:48:32 UTC
Size:
2.66 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD users can induce a use-after-free in the >== server process with an LDAP add or modify request. >== >== CVE ID#: CVE-2022-32746 >== >== Versions: All versions of Samba prior to 4.16.next >== >== Summary: The AD DC database audit logging module be made to >== access LDAP message values that have been freed by a >== preceding database module, resulting in a use-after- >== free. This is only possible when modifying certain >== privileged attributes, such as userAccountControl. >=========================================================== > >=========== >Description >=========== > >Some database modules make a shallow copy of an LDAP add/delete >message so they can make modifications to its elements without >affecting the original message. Each element in a message points to an >array of values, and these arrays are shared between the original >message and the copy. > >The issue arises when a database module adds new values to an existing >array. A call to realloc() increases the array's size to accommodate >new elements, but at the same time, frees the old array. This leaves >the original message element with a dangling pointer to a now-freed >array. When the database audit logging module subsequently logs the >details of the original message, it will access this freed data, >generally resulting in corrupted log output or a crash. > >The code paths susceptible to this issue are reachable when certain >specific attributes, such as userAccountControl, are added or >modified. These attributes are not editable by default without having >a privilege assigned, such as Write Property. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.14.next, 4.15.next, and 4.16.next have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4) > >========== >Workaround >========== > >Disabling AD DC database audit logging prevents the use-after-free >from occurring, as that is the only component that will access the >original message. > >======= >Credits >======= > >Initial report, patches, and this advisory by Joseph Sutton and Andrew >Bartlett of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17381">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 15009
:
17205
|
17206
|
17377
|
17381
|
17399