13552 – (CVE-2018-10918) [SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigger NULL-pointer de-reference

Bug 13552 (CVE-2018-10918) - [SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigger NULL-pointer de-reference

Summary: [SECURITY] [CVE-2018-10918] - DsCrackNames on a user without an SPN can trigg...

Status:	RESOLVED FIXED

Alias:	CVE-2018-10918

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	DCE-RPCs and pipes (show other bugs)
Version:	4.8.0
Hardware:	All All

Importance:	P5 critical (vote)
Target Milestone:	---
Assignee:	Karolin Seeger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	12842 13509
	Show dependency tree / graph

Reported:	2018-07-29 23:07 UTC by Andrew Bartlett
Modified:	2018-08-24 09:40 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
patch for master (3.26 KB, patch) 2018-07-30 02:51 UTC, Andrew Bartlett	gary: review+	Details
proposed CVE text (needs CVE) (1.59 KB, text/plain) 2018-07-30 02:51 UTC, Andrew Bartlett	gary: review+	Details
patch for master (1.59 KB, patch) 2018-07-30 03:07 UTC, Andrew Bartlett	no flags	Details
patch for master (3.31 KB, patch) 2018-07-30 03:07 UTC, Andrew Bartlett	gary: review+	Details
CVE text updated with CVE number. (1.63 KB, text/plain) 2018-08-07 23:45 UTC, Jeremy Allison	gary: review+ abartlet: review+	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Andrew Bartlett 2018-07-30 02:51:03 UTC

Created attachment 14359 [details]
patch for master

Comment 2 Andrew Bartlett 2018-07-30 02:51:30 UTC

Created attachment 14360 [details]
proposed CVE text (needs CVE)

Comment 3 Andrew Bartlett 2018-07-30 02:54:00 UTC

Can I (urgently) get a CVE for this.  Our next security release needs to be locked in on 1 August and I would like this included.

Thanks!

Comment 4 Andrew Bartlett 2018-07-30 03:07:16 UTC

Created attachment 14361 [details]
patch for master

Comment 5 Andrew Bartlett 2018-07-30 03:07:50 UTC

Created attachment 14362 [details]
patch for master

Comment 6 Andrew Bartlett 2018-07-30 04:08:50 UTC

The master patch applies to 4.7 and 4.8 also.

Comment 7 Jeremy Allison 2018-07-31 20:16:27 UTC

CVE number requested from secalert@redhat.com.

Comment 8 Jeremy Allison 2018-08-01 16:14:52 UTC

CVE-2018-10918 assigned by Red Hat product security.

Comment 10 Andrew Bartlett 2018-08-07 02:23:49 UTC

This is a CVSS 6.5

https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

Comment 11 Nagendra.V.S 2018-08-07 13:11:44 UTC

The CVE text still contains the place holder(XXX) in CVE id

CVE-2018-XXXX

Comment 12 Jeremy Allison 2018-08-07 23:45:21 UTC

Created attachment 14401 [details]
CVE text updated with CVE number.

Comment 13 Karolin Seeger 2018-08-14 08:45:34 UTC

Samba 4.8.4, 4.9.7 an 4.6.16 have been released in order to address these defects.

Comment 14 Karolin Seeger 2018-08-14 08:59:25 UTC

(In reply to Karolin Seeger from comment #13)
4.7.9(In reply to Karolin Seeger from comment #13)
Meant 4.7.9 of course and 4.6.16 is not affected by this issue

Comment 15 Karolin Seeger 2018-08-14 10:11:02 UTC

Pushed to autobuild-v4-9-test and autobuild-master.

Comment 16 Andrew Bartlett 2018-08-14 22:20:29 UTC

Opening up bug.  Redacted original description. 

My elaboration was:

Likely due to elements being NULL here:

case DRSUAPI_DS_NAME_FORMAT_SERVICE_PRINCIPAL: {
		if (result->elements[0].num_values > 1) {
			info1->status = DRSUAPI_DS_NAME_STATUS_NOT_UNIQUE;
			return WERR_OK;
		}

Comment 17 Karolin Seeger 2018-08-24 09:40:42 UTC

Pushed to both branches.
Closing out bug report.

Thanks!