Headline
CVE-2022-32746: Samba - Security Announcement Archive
A flaw was found in the Samba AD LDAP server. The AD DC database audit logging module can access LDAP message values freed by a preceding database module, resulting in a use-after-free issue. This issue is only possible when modifying certain privileged attributes, such as userAccountControl.
CVE-2022-32746.html:
=========================================================== == Subject: Samba AD users can induce a use-after-free in the == server process with an LDAP add or modify request. == == CVE ID#: CVE-2022-32746 == == Versions: All versions of Samba prior to 4.16.4 == == Summary: The AD DC database audit logging module can be made to == access LDAP message values that have been freed by a == preceding database module, resulting in a use-after- == free. This is only possible when modifying certain == privileged attributes, such as userAccountControl. ===========================================================
=========== Description ===========
Some database modules make a shallow copy of an LDAP add/delete message so they can make modifications to its elements without affecting the original message. Each element in a message points to an array of values, and these arrays are shared between the original message and the copy.
The issue arises when a database module adds new values to an existing array. A call to realloc() increases the array’s size to accommodate new elements, but at the same time, frees the old array. This leaves the original message element with a dangling pointer to a now-freed array. When the database audit logging module subsequently logs the details of the original message, it will access this freed data, generally resulting in corrupted log output or a crash.
The code paths susceptible to this issue are reachable when certain specific attributes, such as userAccountControl, are added or modified. These attributes are not editable by default without having a privilege assigned, such as Write Property.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
========== Workaround ==========
Disabling AD DC database audit logging prevents the use-after-free from occurring, as that is the only component that will access the original message.
======= Credits =======
Initial report, patches, and this advisory by Joseph Sutton and Andrew Bartlett of Catalyst and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
An update for libldb is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32746: samba: AD users can induce a use-after-free in the server process with an LDAP add or modify request
An update for libldb is now available for Red Hat Enterprise Linux 8. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2022-32746: samba: AD users can induce a use-after-free in the server process with an LDAP add or modify request
Ubuntu Security Notice 5542-1 - It was discovered that Samba did not handle MaxQueryDuration when being used in AD DC configurations, contrary to expectations. This issue only affected Ubuntu 20.04 LTS. Luke Howard discovered that Samba incorrectly handled certain restrictions associated with changing passwords. A remote attacker being requested to change passwords could possibly use this issue to escalate privileges.