Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1849509 (CVE-2020-10760) - CVE-2020-10760 samba: LDAP Use-after-free in Samba AD DC Global Catalog with paged_results and VLV
Summary: CVE-2020-10760 samba: LDAP Use-after-free in Samba AD DC Global Catalog with ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-10760
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1853276
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-22 05:12 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 19:48 UTC (History)
17 users (show)

Fixed In Version: samba 4.10.17, samba 4.11.11, samba 4.12.4
Doc Type: If docs needed, set a value
Doc Text:
A use-after-free flaw was found in samba LDAP server used in a AC DC configuration. A Samba LDAP user could use this flaw to crash samba.
Clone Of:
Environment:
Last Closed: 2020-06-22 05:29:05 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Samba Project 14402 0 None None None 2020-06-22 15:16:08 UTC

Description Huzaifa S. Sidhpurwala 2020-06-22 05:12:16 UTC
As per upstream advisory:

Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the paged_results control using similar code.

This code is more memory-efficient, storing only a pointer to the object, not the returned object.  However this means parts of the original request must be retained

When these controls are used by a client that connects to the Global Catalog server, these modules failed to correctly retain the control data along with the request, causing a use-after-free and an abort when this is detected by the talloc library.

NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single process for the LDAP servers.

All versions of Samba after Samba 4.11 use the 'prefork' process model to create a shared connection pool.  Crashing servers are restarted, but service is disrupted.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-22 05:13:45 UTC
Acknowledgments:

Name: the Samba project
Upstream: Andrei Popa

Comment 4 Hardik Vyas 2020-06-23 08:48:04 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage 3 because there is no support for samba as Active Directory Domain Controller.

Comment 5 Huzaifa S. Sidhpurwala 2020-07-02 09:34:31 UTC
External References:

https://www.samba.org/samba/security/CVE-2020-10760.html

Comment 6 Huzaifa S. Sidhpurwala 2020-07-02 10:38:09 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1853276]


Note You need to log in before you can comment on or make changes to this bug.