Allele Security Alert
ASA-2019-00364
Identifier(s)
ASA-2019-00364, CVE-2019-12436
Title
A user with read access to the directory can cause a NULL pointer dereference using the paged search control
Vendor(s)
The Samba Project
Product(s)
Samba
Affected version(s)
All versions of Samba since 4.10.0 and before 4.10.5
Fixed version(s)
Samba 4.10.5
Proof of concept
Unknown
Description
A user with read access to the LDAP server can crash the LDAP server process. Depending on the Samba version and the choice of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per connected client, site-specific configuration trigger can change this.
Samba 4.10 also supports the ‘prefork’ process model and by using the -M option to ‘samba’ and a ‘single’ process model. Both of these share on process between multiple clients.
Technical details
Under Samba 4.10.2 in AD DC mode, if you define the homes share, and then connect to \\servername\homes ([homes] iteslf not a user’s home directory), Samba will preform a nasty Segfault. It refuse to let you connect to any more shares.
The shares of individual users DO work \\servername\username, but can allow users other than the intended user to connect to it.
Example:
smbclient -d 3 //dc-server.domain.com/user1 -U user1
With the correct password succeeds and user can access users own files.
smbclient -d 3 //dc-server.domain.com/user2 -U user1
With the correct password succeeds and user1 can access user2’s files so long as
permissions allow it.
smbclient -d 3 //dc-server.domain.com/homes -U user1
Causes crash, Samba Server stops responding to requests completely.
One thing, when connected for a share list, only //dc-server.domain.com/homes is in the visible share list.
Workaround
Return to the default configuration by running ‘samba’ with -M standard, however this may consume more memory and would not address the \\DC\homes issue.
Credits
Zombie Ryushu
Reference(s)
Samba AD DC LDAP server crash (paged searches)
https://www.samba.org/samba/security/CVE-2019-12436.html
[Announce] Samba 4.10.5 and 4.9.9 Security Releases Available
https://lists.samba.org/archive/samba-announce/2019/000481.html
samba-4.10.4-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
CVE-2019-12436 dsdb/paged_results: ignore successful results without messages
https://github.com/samba-team/samba/commit/c48920093da7f5f6cbbca42d516b86b9cf51eea6
Bug 13951 – (CVE-2019-12436) CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
https://bugzilla.samba.org/show_bug.cgi?id=13951
CVE-2019-12436
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12436
CVE-2019-12436
https://nvd.nist.gov/vuln/detail/CVE-2019-12436
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 31, 2019