Allele Security Alert
A user with read access to the directory can cause a NULL pointer dereference using the paged search control
The Samba Project
All versions of Samba since 4.10.0 and before 4.10.5
Proof of concept
A user with read access to the LDAP server can crash the LDAP server process. Depending on the Samba version and the choice of process model, this may crash only the user’s own connection.
Specifically, while in Samba 4.10 the default is for one process per connected client, site-specific configuration trigger can change this.
Samba 4.10 also supports the ‘prefork’ process model and by using the -M option to ‘samba’ and a ‘single’ process model. Both of these share on process between multiple clients.
Under Samba 4.10.2 in AD DC mode, if you define the homes share, and then connect to \\servername\homes ([homes] iteslf not a user’s home directory), Samba will preform a nasty Segfault. It refuse to let you connect to any more shares.
The shares of individual users DO work \\servername\username, but can allow users other than the intended user to connect to it.
smbclient -d 3 //dc-server.domain.com/user1 -U user1
With the correct password succeeds and user can access users own files.
smbclient -d 3 //dc-server.domain.com/user2 -U user1
With the correct password succeeds and user1 can access user2’s files so long as
permissions allow it.
smbclient -d 3 //dc-server.domain.com/homes -U user1
Causes crash, Samba Server stops responding to requests completely.
One thing, when connected for a share list, only //dc-server.domain.com/homes is in the visible share list.
Return to the default configuration by running ‘samba’ with -M standard, however this may consume more memory and would not address the \\DC\homes issue.
Samba AD DC LDAP server crash (paged searches)
[Announce] Samba 4.10.5 and 4.9.9 Security Releases Available
CVE-2019-12436 dsdb/paged_results: ignore successful results without messages
Bug 13951 – (CVE-2019-12436) CVE-2019-12436 [SECURITY] paged_searches crash on LDAP and [homes] access
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: October 31, 2019