Headline
CVE-2020-10730: Samba - Security Announcement Archive
A NULL pointer dereference, or possible use-after-free flaw was found in Samba AD LDAP server in versions before 4.10.17, before 4.11.11 and before 4.12.4. Although some versions of Samba shipped with Red Hat Enterprise Linux do not support Samba in AD mode, the affected code is shipped with the libldb package. This flaw allows an authenticated user to possibly trigger a use-after-free or NULL pointer dereference. The highest threat from this vulnerability is to system availability.
CVE-2020-10730.html:
=========================================================== == Subject: NULL pointer de-reference and use-after-free == in Samba AD DC LDAP Server with ASQ, VLV and == paged_results == == CVE ID#: CVE-2020-10730 == == Versions: Samba 4.5.0 and later == == Summary: A client combining the ‘ASQ’ and ‘VLV’ LDAP == controls can cause a NULL pointer de-reference and == further combinations with the LDAP paged_results == feature can give a use-after-free in Samba’s AD DC == LDAP server. ===========================================================
=========== Description ===========
Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain ‘virtual list views’ of search results against a Samba AD DC using an LDAP control.
The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference. It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10.
================== Patch Availability ==================
Patches addressing both of these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
========================= Workaround and mitigation =========================
None.
======= Credits =======
Originally reported by Andrew Bartlett of Catalyst and the Samba Team.
Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.