1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2019-14847.html:</H2>
15 ===========================================================
16 == Subject: User with "get changes" permission can
17 == crash AD DC LDAP server via dirsync
19 == CVE ID#: CVE-2019-14847
21 == Versions: Samba 4.0.0 until Samba 4.10.9
23 == Summary: Users with the "get changes" extended access
24 == right can crash the AD DC LDAP server by
25 == requesting an attribute using the range= syntax.
26 ===========================================================
32 Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync"
33 LDAP control specified in MS-ADTS "3.1.1.3.4.1.3
34 LDAP_SERVER_DIRSYNC_OID".
36 However, when combined with the ranged results feature specified in
37 MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL
38 pointer is can be de-referenced.
40 This is a Denial of Service only, no further escalation of privilege
41 is associated with this issue.
43 Samba 4.11 is not affected as the issue was fixed as a result of
44 Coverity static analysis, before the potential for denial of service
51 Patches addressing both these issues have been posted to:
53 https://www.samba.org/samba/security/
55 Additionally, Samba 4.9.15 and 4.10.10 have been issued
56 as security releases to correct the defect. Samba administrators are
57 advised to upgrade to these releases or apply the patch as soon
64 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9)
66 ==========================
67 Workaround and mitigation.
68 ==========================
70 By default, the supported versions of Samba impacted by this issue run
71 using the "standard" process model, which is unaffected.
73 This is controlled by the -M or --model parameter to the samba binary.
75 Unsupported Samba versions before Samba 4.7 use a single process for
76 the LDAP server, and so are impacted.
78 Samba 4.8, 4.9 and 4.10 are impacted if -M prefork or -M single is
79 used. To mitigate this issue, select -M standard (the default).
85 Originally reported by Adam Xu
87 Patches provided and advisory written by Douglas Bagnall and Andrew
88 Bartlett of the Samba team and Catalyst.
90 ==========================================================
91 == Our Code, Our Bugs, Our Responsibility.
93 ==========================================================