Use-after-free in Samba AD DC LDAP Server with ASQ

Description

Samba has, since Samba 4.0, supported the Paged Results LDAP feature,
to allow clients to obtain pages of search results against a Samba AD
DC using an LDAP control.

Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been
in place in this module, to age out old client requests if more than
10 such requests are outstanding.

A rewrite of the module for more efficient memory handling in Samba
4.11 changed the module behaviour, and combined with the above to
introduce the use-after-free. The use-after-free occurs when the
‘Paged Results’ control is combined with the ‘ASQ’ control, another
Active Directory LDAP feature.

Patch Availability

Patches addressing both of these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.10.15, 4.11.8 and 4.12.2 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1:AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H (5.3)

Workaround or mitigating factors

The crash is hard to trigger, and relies in particular on the chain of
child and grandchild links being queried with ASQ. Malicious users
without write access will need to find a suitable chain within the
existing directory layout.

Credits

Originally reported by Andrei Popa <[email protected]>.

Patches provided by Andrew Bartlett of Catalyst and the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team