1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2020-10730.html:</H2>
15 ===========================================================
16 == Subject: NULL pointer de-reference and use-after-free
17 == in Samba AD DC LDAP Server with ASQ, VLV and
20 == CVE ID#: CVE-2020-10730
22 == Versions: Samba 4.5.0 and later
24 == Summary: A client combining the 'ASQ' and 'VLV' LDAP
25 == controls can cause a NULL pointer de-reference and
26 == further combinations with the LDAP paged_results
27 == feature can give a use-after-free in Samba's AD DC
29 ===========================================================
35 Samba has, since Samba 4.5, supported the VLV Active Directory LDAP
36 feature, to allow clients to obtain 'virtual list views' of search
37 results against a Samba AD DC using an LDAP control.
39 The combination of this control, and the ASQ control combines to allow
40 an authenticated user to trigger a NULL-pointer de-reference. It is
41 also possible to trigger a use-after-free, both as the code is very
42 similar to that addressed by CVE-2020-10700 and due to the way
43 errors are handled in the dsdb_paged_results module since Samba 4.10.
50 Patches addressing both of these issues have been posted to:
52 https://www.samba.org/samba/security/
54 Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued
55 as security releases to correct the defect. Samba administrators are
56 advised to upgrade to these releases or apply the patch as soon
63 CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
65 =========================
66 Workaround and mitigation
67 =========================
75 Originally reported by Andrew Bartlett of Catalyst and the Samba Team.
77 Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and
80 ==========================================================
81 == Our Code, Our Bugs, Our Responsibility.
83 ==========================================================