Double-free in Samba AD DC KDC with PKINIT

Description

When configured to accept smart-card authentication, Samba’s KDC will
call talloc_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.

This is only possible after authentication with a trusted certificate.

talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.

There is no further vulnerability associated with this issue, merely a
denial of service.

Patch Availability

Patches addressing both these issues have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 4.7.12, 4.8.7 and 4.9.3 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

Workaround

Remove ‘enable-pkinit = true’ from the krb5.conf to disable smart-card
login.

Credits

Originally reported by Alex MacCuish

Patches provided by Andrew Bartlett of the Samba Team and Catalyst.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team