Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at
Bug 1849489 (CVE-2020-10730) - CVE-2020-10730 samba: NULL pointer de-reference and use-after-free in Samba AD DC LDAP Server with ASQ, VLV and paged_results
Summary: CVE-2020-10730 samba: NULL pointer de-reference and use-after-free in Samba A...
Alias: CVE-2020-10730
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1849613 1849615 1849979 1853255
TreeView+ depends on / blocked
Reported: 2020-06-22 04:53 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 19:48 UTC (History)
14 users (show)

Fixed In Version: samba 4.10.17, samba 4.11.11, samba 4.12.4
Doc Type: If docs needed, set a value
Doc Text:
A NULL pointer dereference, or possible use-after-free flaw was found in the Samba AD LDAP server. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.
Clone Of:
Last Closed: 2020-07-23 07:27:36 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:3118 0 None None None 2020-07-23 04:37:19 UTC
Red Hat Product Errata RHSA-2020:3119 0 None None None 2020-07-23 04:36:53 UTC
Red Hat Product Errata RHSA-2020:4568 0 None None None 2020-11-04 02:02:45 UTC
Samba Project 14364 0 None None None 2020-06-22 15:15:23 UTC

Description Huzaifa S. Sidhpurwala 2020-06-22 04:53:01 UTC
As per upstream advisory:

Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control.

The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference.  It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-22 04:53:05 UTC

Name: the Samba project
Upstream: Andrew Bartlett

Comment 3 Hardik Vyas 2020-06-23 10:39:37 UTC

The version of samba shipped with Red Hat Gluster Storage 3 is built with a private copy of ldb which includes the vulnerable code. However, samba shipped with RHGS 3 is not supported for use as an AD DC and hence this issue has been rated as having a security impact of Low.

Comment 5 Huzaifa S. Sidhpurwala 2020-07-02 09:30:53 UTC
External References:

Comment 6 Huzaifa S. Sidhpurwala 2020-07-02 09:32:07 UTC
Created libldb tracking bugs for this issue:

Affects: fedora-all [bug 1853255]

Comment 8 errata-xmlrpc 2020-07-23 04:36:51 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2020:3119

Comment 9 errata-xmlrpc 2020-07-23 04:37:18 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2020:3118

Comment 10 Product Security DevOps Team 2020-07-23 07:27:36 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

Comment 11 errata-xmlrpc 2020-11-04 02:02:43 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2020:4568

Note You need to log in before you can comment on or make changes to this bug.