Bug 14331 (CVE-2020-10700) - CVE-2020-10700 [SECURITY] Use-after-free in AD DC LDAP server when ASQ and paged_results combined
Summary: CVE-2020-10700 [SECURITY] Use-after-free in AD DC LDAP server when ASQ and pa...
Status: RESOLVED FIXED
Alias: CVE-2020-10700
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
: 14235 (view as bug list)
Depends on:
Blocks: 14349
  Show dependency treegraph
 
Reported: 2020-03-31 03:47 UTC by Andrew Bartlett
Modified: 2020-05-14 23:52 UTC (History)
6 users (show)

See Also:


Attachments
patch for master (13.63 KB, patch)
2020-03-31 03:50 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
First draft ASQ Advisory (2.14 KB, text/plain)
2020-03-31 22:52 UTC, Andrew Bartlett
no flags Details
patch for 4.10 (v01) (13.89 KB, patch)
2020-04-01 01:16 UTC, Andrew Bartlett
no flags Details
patch for 4.10 (v01) (13.89 KB, patch)
2020-04-03 02:48 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
patch for 4.11 (v01) (13.63 KB, patch)
2020-04-03 02:49 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
patch for 4.12 (v01) (13.63 KB, patch)
2020-04-03 02:50 UTC, Andrew Bartlett
abartlet: ci-passed+
Details
Advisory v2 with release versions (2.20 KB, text/plain)
2020-04-16 20:32 UTC, Andrew Bartlett
gary: review+
abartlet: review+
Details
Patch for Master (v2) (13.82 KB, patch)
2020-04-17 02:06 UTC, Gary Lockyer
gary: review? (abartlet)
dbagnall: review+
abartlet: review+
Details
Patch for V4.12 (v2) (13.82 KB, patch)
2020-04-17 02:27 UTC, Gary Lockyer
dbagnall: review+
Details
Patch for V4.11 (v2) (13.82 KB, patch)
2020-04-17 02:57 UTC, Gary Lockyer
dbagnall: review+
Details
Patch for V4.10 (v2) (14.08 KB, patch)
2020-04-17 03:19 UTC, Gary Lockyer
dbagnall: review+
Details
Updated patch for 4.12 incl. ldb version bump (37.30 KB, patch)
2020-04-17 12:28 UTC, Karolin Seeger
abartlet: review+
slow: review+
metze: review+
metze: ci-passed+
Details
Updated patch for 4.11 incl. ldb version bump (37.21 KB, patch)
2020-04-17 12:30 UTC, Karolin Seeger
abartlet: review+
metze: review+
slow: review+
kseeger: ci-passed+
metze: ci-passed+
Details
Updated patch for 4.10 incl. ldb version bump (37.95 KB, patch)
2020-04-17 12:31 UTC, Karolin Seeger
abartlet: review+
metze: review+
slow: review+
kseeger: ci-passed+
Details
Advisory v3 with fixed typos (2.20 KB, text/plain)
2020-04-20 06:42 UTC, Karolin Seeger
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-03-31 03:47:09 UTC
When the ASQ control is combined with the paged_results control the limit of 10 outstanding searches introduced to control resource usage can be hit and case a use-after-free, as detected by talloc.

Additionally, the results returned are incorrect, being the results from a further level of ASQ de-reference.
Comment 1 Andrew Bartlett 2020-03-31 03:50:19 UTC
Created attachment 15882 [details]
patch for master

I'm running CI here: 
https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/200173
Comment 2 Andrew Bartlett 2020-03-31 04:00:18 UTC
I'm treating this as a DoS as the use-after-free is detected by talloc, not directly de-referenced. 

CVSSv3.1 estimate is either:
 - AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3)
or
 - AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L (3.1)

What this hinges on is if killing one of the preforked children (it is presumed that if you can kill one, you can keep going until they all die, the repeat after re-spawn) is "Low" or "High" per:

https://www.first.org/cvss/v3.1/specification-document#2-3-Impact-Metrics

This distinction matters, if Low we 'BUG: and move on', if High we must CVE and do a security release.  We have not been entirely consistent in how to handle a crash or assert in the LDAP server, particularly since the change to using prefork by default.
Comment 3 Andrew Bartlett 2020-03-31 04:03:41 UTC
Impacted versions are Samba 4.10 and later
Comment 4 Gary Lockyer 2020-03-31 21:51:02 UTC
If this reliably causes a process failure then I think it's high with pre-fork. As it would be easy to crash all the workers and then crash them as they restarted. For standard model with max workers set this would be low, as only the attackers process would crash.

It would be low for pre-fork if the crash is relatively rare, as requests would be processed until a crash was triggered.

For lmdb backends there would be issues with stale readers accumulating and possibly causing out of space issues.


On balance I think high
Comment 5 Andrew Bartlett 2020-03-31 21:57:00 UTC
Thanks.  I've been unable to reproduce the crash (but can reproduce the other effects enough to reproduce the issue), but the original reporter has it crash every time, so it is just a matter of effort I suppose. 

Those CVSS calculations already take 'high effort' into account, so I guess we will need to do the CVE.  I'll ask for a number and write it up.
Comment 6 Andrew Bartlett 2020-03-31 22:52:34 UTC
Created attachment 15884 [details]
First draft ASQ Advisory

Here is the first draft of advisory pending CVE allocation, which I'll request now.
Comment 7 Andrew Bartlett 2020-04-01 01:16:03 UTC
Created attachment 15885 [details]
patch for 4.10 (v01)

The patch for 4.10 needed a backport, not just a cherry-pick.  Will update again once we get a CVE.
Comment 8 Andrew Bartlett 2020-04-03 02:48:55 UTC
Created attachment 15890 [details]
patch for 4.10 (v01)
Comment 9 Andrew Bartlett 2020-04-03 02:49:22 UTC
Created attachment 15891 [details]
patch for 4.11 (v01)
Comment 10 Andrew Bartlett 2020-04-03 02:50:56 UTC
Created attachment 15892 [details]
patch for 4.12 (v01)

All patches have now passed CI.  They will be updated once we get a CVE number.
Comment 11 Andrew Bartlett 2020-04-16 20:32:57 UTC
Created attachment 15921 [details]
Advisory v2 with release versions
Comment 12 Andrew Bartlett 2020-04-16 20:46:33 UTC
I'll add the CVE tags to the patches today.
Comment 13 Gary Lockyer 2020-04-16 22:45:09 UTC
Comment on attachment 15882 [details]
patch for master

Need to add CVE to commit message and name the patch files according to convention.

Once that's done you have my reviewed-by
Comment 14 Gary Lockyer 2020-04-16 23:23:24 UTC
Comment on attachment 15892 [details]
patch for 4.12 (v01)

Need to add CVE to commit message and name the patch files according to convention.

Once that's done you have my reviewed-by
Comment 15 Gary Lockyer 2020-04-16 23:38:59 UTC
Comment on attachment 15891 [details]
patch for 4.11 (v01)

Need to add CVE to commit message and name the patch files according to convention.

Once that's done you have my reviewed-by
Comment 16 Gary Lockyer 2020-04-16 23:57:29 UTC
Comment on attachment 15890 [details]
patch for 4.10 (v01)

Need to add CVE to commit message and name the patch files according to convention.

Once that's done you have my reviewed-by
Comment 17 Gary Lockyer 2020-04-17 02:06:10 UTC
Created attachment 15924 [details]
Patch for Master (v2)
Comment 18 Gary Lockyer 2020-04-17 02:27:45 UTC
Created attachment 15925 [details]
Patch for V4.12 (v2)
Comment 19 Gary Lockyer 2020-04-17 02:57:49 UTC
Created attachment 15926 [details]
Patch for V4.11 (v2)
Comment 20 Gary Lockyer 2020-04-17 03:19:32 UTC
Created attachment 15927 [details]
Patch for V4.10 (v2)
Comment 21 Andrew Bartlett 2020-04-17 08:10:26 UTC
I forgot, for the ldb change we need new ldb versions.   Not needed for master, but needed for the backports :(
Comment 22 Karolin Seeger 2020-04-17 12:28:23 UTC
Created attachment 15929 [details]
Updated patch for 4.12 incl. ldb version bump
Comment 23 Karolin Seeger 2020-04-17 12:30:48 UTC
Created attachment 15930 [details]
Updated patch for 4.11 incl. ldb version bump
Comment 24 Karolin Seeger 2020-04-17 12:31:49 UTC
Created attachment 15931 [details]
Updated patch for 4.10 incl. ldb version bump
Comment 25 Andrew Bartlett 2020-04-17 19:27:57 UTC
Comment on attachment 15931 [details]
Updated patch for 4.10 incl. ldb version bump

Well done getting the ABI file for pyldb-util.py3.  This is something I sometimes miss (or find difficult to generate) when doing the old backports.

Thanks!
Comment 26 Andrew Bartlett 2020-04-17 19:28:37 UTC
Assigning to Karolin for the next security release.
Comment 27 Karolin Seeger 2020-04-18 16:32:36 UTC
Planned release date Tuesday, April 28th 2020.
Opening bug report for vendors.
Comment 28 Huzaifa Sidhpurwala 2020-04-20 04:09:16 UTC
I found multiple spelling mistakes in the advisory, for example:

Serivce
efficint
occours

There could be others also, i did not check all of them
Comment 29 Karolin Seeger 2020-04-20 06:41:49 UTC
(In reply to Huzaifa Sidhpurwala from comment #28)
Thanks for reporting!
Comment 30 Karolin Seeger 2020-04-20 06:42:58 UTC
Created attachment 15934 [details]
Advisory v3 with fixed typos
Comment 31 Andrew Bartlett 2020-04-21 05:49:04 UTC
Comment on attachment 15934 [details]
Advisory v3 with fixed typos

I do apologise for my poor spelling.  Thanks for fixing it up!
Comment 32 Karolin Seeger 2020-04-28 10:36:48 UTC
Samba 4.12.2, 4.11.8 and 4.10.15 have been released to address this defect.
Comment 33 Karolin Seeger 2020-04-28 11:01:08 UTC
Pushed to autobuild-master.
Comment 34 Andrew Bartlett 2020-04-29 00:37:40 UTC
Removing embargo.  Removing samba-vendor CC to avoid further noise to the alias, you can CC your account manually if you want further updates on this.
Comment 35 Karolin Seeger 2020-05-05 06:24:33 UTC
Pushed to all branches.
Closing out bug report.

Thanks!
Comment 36 Andrew Bartlett 2020-05-14 23:52:11 UTC
*** Bug 14235 has been marked as a duplicate of this bug. ***