====================================================================

                             CERT-Renater

                 Note d'Information No. 2021/VULN178
_____________________________________________________________________

DATE                : 25/03/2021

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Samba versions prior to
              4.14.2 (4.14.1), 4.13.7 (4.13.6), 4.12.14 (4.12.13).

=====================================================================
https://www.samba.org/samba/security/CVE-2020-27840.html
https://www.samba.org/samba/security/CVE-2021-20277.html
_____________________________________________________________________

CVE-2020-27840.html

===========================================================
== Subject:     Heap corruption via crafted DN strings
==
== CVE ID#:     CVE-2020-27840
==
== Versions:    All Samba versions since Samba 4.0.0
==
== Summary:     An anonymous attacker can crash the Samba AD DC
==              LDAP server by sending easily crafted DNs as
==              part of a bind request. More serious heap corruption
==              is likely also possible.
===========================================================

===========
Description
===========

A DN may be represented in string form with arbitrary amounts of space
around the component values. These spaces are supposed to be ignored,
but invalid DNs strings with spaces may instead cause a zero byte to
be written into out-of-bounds memory.

An LDAP bind request can send a string DN as a username. This DN is
necessarily parsed before the password is checked, so an attacker
without real credentials can anonymously trigger this bug.

The location of zero byte is a negative offset relative to the
location of a dynamically allocated heap buffer; the exact offset
depends on the DN string. While it is possible for an attacker to
cause non-fatal data corruption, usefully targeting this is likely to
be difficult and the most likely outcome is a crash.

The affected parsing routine is widely used. LDAP bind is not the only
way to trigger the bug remotely, though it appears to be the only
unauthenticated method.

For technical details of the vulnerability, see the patch and
the bug at https://bugzilla.samba.org/show_bug.cgi?id=14595.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14
(4.12.13) have been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these releases or apply
the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSSv3.1: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

=========================
Workaround and mitigation
=========================

None.

=======
Credits
=======

Found and fixed by Douglas Bagnall of Catalyst and the Samba Team,
using Honggfuzz.

Advisory written by Douglas Bagnall.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

_____________________________________________________________________

CVE-2021-20277.html

===========================================================
== Subject:     Out of bounds read in AD DC LDAP server
==
== CVE ID#:     CVE-2021-20277
==
== Versions:    All versions of Samba since Samba 4.0
==
== Summary:     User-controlled LDAP filter strings against
==              the AD DC LDAP server may crash the LDAP server.
===========================================================

===========
Description
===========

A string in an LDAP attribute that contains multiple consecutive
leading spaces can lead to a memmove() of out of bounds memory in
ldb_handler_fold().

ldb_handler_fold() is used by case insensitive strings - that is most
string attributes - in Active Directory.

As the search expression is normalised prior to matching any potential
objects this in turn may crash the LDAP server process
handling the request.  It may be possible to leak the out of bounds
memory by matching against it, but this is thought to be unlikely.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.14.2 (4.14.1), 4.13.7 (4.13.6) and 4.12.14
(4.12.13) have been issued as security releases to correct the defect.
Samba administrators are advised to upgrade to these releases or apply
the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:H (7.1)

==========
Workaround
==========

To disable the LDAP server set 'server services = -ldap' in the
smb.conf and restart Samba.  This will substantially reduce the
utility of the AD DC.

=======
Credits
=======

Found with the help of Honggfuzz.

Originally reported by Douglas Bagnall of Catalyst and the Samba Team.

Patches provided by and advisory written by Douglas Bagnall and
Andrew Bartlett of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================



=========================================================
+ CERT-RENATER       |    tel : 01-53-94-20-44          +
+ 23/25 Rue Daviel   |    fax : 01-53-94-20-41          +
+ 75013 Paris        |    email:cert@support.renater.fr +
=========================================================