Bug 14364 (CVE-2020-10730) - CVE-2020-10730 [SECURITY] NULL de-reference in AD DC LDAP server when ASQ and VLV combined
Summary: CVE-2020-10730 [SECURITY] NULL de-reference in AD DC LDAP server when ASQ and...
Status: RESOLVED FIXED
Alias: CVE-2020-10730
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.2
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14412
  Show dependency treegraph
 
Reported: 2020-05-05 05:14 UTC by Andrew Bartlett
Modified: 2022-02-11 09:47 UTC (History)
4 users (show)

See Also:


Attachments
initail advisory (2.04 KB, text/plain)
2020-05-05 05:30 UTC, Andrew Bartlett
no flags Details
patch v1 with bug (7.15 KB, patch)
2020-05-05 05:34 UTC, Andrew Bartlett
no flags Details
Proposed patch for master V1 (14.55 KB, patch)
2020-05-15 02:22 UTC, Gary Lockyer
no flags Details
Proposes patch for master V2 (16.87 KB, patch)
2020-05-18 03:27 UTC, Gary Lockyer
no flags Details
Proposed patch for master V3 (23.72 KB, patch)
2020-05-21 02:51 UTC, Gary Lockyer
abartlet: review+
Details
Patch for Master (v4) (23.87 KB, patch)
2020-05-22 03:07 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
Patch for V4.12 (v1) (47.30 KB, patch)
2020-05-22 03:10 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
Patch for V4.11 (v1) (47.26 KB, patch)
2020-05-22 03:12 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
Patch for V4.10 (v1) (47.68 KB, patch)
2020-05-22 03:16 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
Patch for V4.5 (v1) (21.64 KB, patch)
2020-05-25 00:30 UTC, Gary Lockyer
abartlet: review-
Details
Patch for V4.5 (v2) (26.11 KB, patch)
2020-05-26 20:54 UTC, Gary Lockyer
abartlet: review+
gary: ci-passed+
Details
Advisory v2 with CVE number. Still needs release versions (2.06 KB, text/plain)
2020-05-26 22:49 UTC, Andrew Bartlett
gary: review+
Details
Advisory v3 (2.06 KB, text/plain)
2020-06-18 01:48 UTC, Gary Lockyer
no flags Details
advisory v4 (2.06 KB, text/plain)
2020-06-23 22:31 UTC, Douglas Bagnall
no flags Details
advisory v5 (2.06 KB, text/plain)
2020-06-25 09:09 UTC, Karolin Seeger
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-05-05 05:14:13 UTC
Both locally (easier to see) and remotely over authenticated LDAP, there is a NULL pointer de-reference with (eg) this:

bin/ldbsearch -H st/ad_dc/private/sam.ldb -s base -b " CN=Allowed RODC Password Replication Group,CN=Users,dc=addom,dc=samba,dc=example,dc=com" --controls="asq:1:member,server_sort:1:0:cn,vlv:1:10:10:11" objectclass samaccountname gitnumber member objectguid objectsid whenchanged usnchanged grouptype samaccountname 'objectclass=*'

This similar to bug 14331, but unlike that this will impact back to Samba 4.5.  As well as the patches here, the asq parts of the bug 14331 patch should also be applied to address other possible issues. 

CVSS v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Comment 1 Andrew Bartlett 2020-05-05 05:30:25 UTC
Created attachment 15951 [details]
initail advisory
Comment 2 Andrew Bartlett 2020-05-05 05:34:49 UTC
Created attachment 15952 [details]
patch v1 with bug
Comment 3 Gary Lockyer 2020-05-15 02:22:06 UTC
Created attachment 15983 [details]
Proposed patch for master V1

Andrew added the check in ldb_lock_backend_callback as discussed.
Comment 4 Gary Lockyer 2020-05-18 03:27:51 UTC
Created attachment 15987 [details]
Proposes patch for master V2

CI currently underway
Comment 5 Andrew Bartlett 2020-05-18 04:17:09 UTC
Comment on attachment 15987 [details]
Proposes patch for master V2

I think we need to call ldb_module_done() when a condition *within* vlv_results fails, just not for errors of ldb_module_send_entry().

This is insanely fragile, but a proper fix is not in the scope of a security fix.
Comment 6 Gary Lockyer 2020-05-21 02:51:45 UTC
Created attachment 15998 [details]
Proposed patch for master V3
Comment 7 Andrew Bartlett 2020-05-21 04:28:38 UTC
Comment on attachment 15998 [details]
Proposed patch for master V3

Awesome.  Looking forward to approving the backports.
Comment 8 Gary Lockyer 2020-05-22 03:07:02 UTC
Created attachment 16002 [details]
Patch for Master (v4)

CI Results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210063
Comment 9 Gary Lockyer 2020-05-22 03:10:26 UTC
Created attachment 16003 [details]
Patch for V4.12 (v1)

CI results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210066
Comment 10 Gary Lockyer 2020-05-22 03:12:55 UTC
Created attachment 16004 [details]
Patch for V4.11 (v1)

CI results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210071
Comment 11 Gary Lockyer 2020-05-22 03:16:38 UTC
Created attachment 16005 [details]
Patch for V4.10 (v1)

CI results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210079
Comment 12 Andrew Bartlett 2020-05-22 04:18:49 UTC
Remember that any backport to 4.5 should include the patch to asq.c from CVE-2020-10700
Comment 13 Gary Lockyer 2020-05-25 00:30:07 UTC
Created attachment 16007 [details]
Patch for V4.5 (v1)

CI results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210404
Comment 14 Andrew Bartlett 2020-05-25 00:53:23 UTC
Comment on attachment 16007 [details]
Patch for V4.5 (v1)

Can we get the combination of paged_results and vlv tests included (the latter just on the end of the 4.5 VLV tests), to ensure the ban included is tested?

Also, can you include the test of ASQ and paged results as the ASQ module was changed?  paged_results is in 4.5, just not the new GUID searching version.
Comment 15 Andrew Bartlett 2020-05-25 01:07:35 UTC
Please also include the marker from cherry-pick -x for the delete_force change.
Comment 16 Gary Lockyer 2020-05-26 20:54:33 UTC
Created attachment 16008 [details]
Patch for V4.5 (v2)

CI results: https://gitlab.catalyst.net.nz/samba/samba.org-security-patches/pipelines/210589
Comment 17 Andrew Bartlett 2020-05-26 22:38:33 UTC
Comment on attachment 16008 [details]
Patch for V4.5 (v2)

Looking great.  Thanks!
Comment 18 Andrew Bartlett 2020-05-26 22:49:40 UTC
Created attachment 16009 [details]
Advisory v2 with CVE number.  Still needs release versions

Once the date is set, the correct release versions need to be added.
Comment 19 Gary Lockyer 2020-06-18 01:48:54 UTC
Created attachment 16056 [details]
Advisory v3

Added target release versions
Comment 20 Karolin Seeger 2020-06-19 11:12:04 UTC
Planned release date Thursday July 2nd
Opening bug report for vendors.
Comment 21 Douglas Bagnall 2020-06-23 22:31:50 UTC
Created attachment 16067 [details]
advisory v4

Fix the release number for 4.11.
Comment 22 Karolin Seeger 2020-06-25 09:09:07 UTC
Created attachment 16089 [details]
advisory v5

s/futher/further/
Comment 23 Karolin Seeger 2020-07-02 08:52:20 UTC
Samba 4.12.4, 4.11.11 and 4.10.17 have been shipped to address this defect.
Comment 24 Karolin Seeger 2020-07-02 08:56:39 UTC
Pushed to autobuild-master.
Comment 25 Karolin Seeger 2020-07-02 09:07:11 UTC
Merged into v4-{12,11,10}-test.
Comment 26 Karolin Seeger 2020-07-03 09:18:54 UTC
Pushed to master.
Closing out bug report.

Thanks!
Comment 27 Andrew Bartlett 2020-07-21 08:00:48 UTC
Opening to the public and removing the samba-vendor alias from CC.  

Vendors: CC individually if you wish to follow along.