Allele Security Alert
ASA-2018-00057
Identifier(s)
ASA-2018-00057, CVE-2018-16841
Title
Double-free in Samba AD DC KDC with PKINIT
Vendor(s)
Samba
Product(s)
Samba
Affected version(s)
All versions of Samba from 4.3.0 onwards
Fixed version(s)
Samba 4.7.12, 4.8.7 and 4.9.3
Proof of concept
Unknown
Description
When configured to accept smart-card authentication, Samba’s KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.
Technical details
Unknown
Credits
Alex MacCuish
Reference(s)
Double-free in Samba AD DC KDC with PKINIT
https://www.samba.org/samba/security/CVE-2018-16841.html
[Announce] Samba 4.9.3, 4.8.7 and 4.7.12 Security Releases Available
https://lists.samba.org/archive/samba-announce/2018/000462.html
CVE-2018-16841 heimdal: Fix segfault on PKINIT with mis-matching principal
https://github.com/samba-team/samba/commit/b6e9c4b8bbd63fbf29f576d98ee7ff1154a90565
CVE-2018-16841 selftest: Check for mismatching principal in certificate
https://github.com/samba-team/samba/commit/c835e27a998fa6bfb49a48581c65224c4c02880e
CVE-2018-16841
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16841
CVE-2018-16841
https://nvd.nist.gov/vuln/detail/CVE-2018-16841
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: December 4, 2018