Samba AD DC LDAP server crash (paged searches)

Description

A user with read access to the LDAP server can crash the LDAP
server process. Depending on the Samba version and the choice
of process model, this may crash only the user’s own connection.

Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.

Samba 4.10 also supports the ‘prefork’ process model and by
using the -M option to ‘samba’ and a ‘single’ process model.
Both of these share on process between multiple clients.

NOTE WELL: the original report on this issue to the Samba Team
suggested a correlation between this NULL pointer dereference with
access to the \DC\homes share on an AD DC, including a persistent
service failure. The Samba Team has been unable to corroborate this
failure mode, and has instead focused on addressing the original
issue.

Patch Availability

Patches addressing both these issues have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 4.10.5 has been issued as a security release to
correct the defect. Samba administrators are advised to upgrade to
this release or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

Workaround

Return to the default configuration by running ‘samba’ with -M
standard, however this may consume more memory and would not address
the \DC\homes issue.

Credits

Originally reported by Zombie Ryushu.

Patches provided by Douglas Bagnall of Catalyst and the Samba team.
Advisory written by Andrew Bartlett of Catalyst and the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team