A security issue has been found in Samba before version 4.14.2. A string in an LDAP attribute that contains multiple consecutive leading spaces can lead to a memmove() of out of bounds memory in ldb_handler_fold(). ldb_handler_fold() is used by case insensitive strings - that is most string attributes - in Active Directory. As the search expression is normalised prior to matching any potential objects this in turn may crash the LDAP server process handling the request. It may be possible to leak the out of bounds memory by matching against it, but this is thought to be unlikely.
A security issue has been found in Samba before version 4.14.2. A string in an LDAP attribute that contains multiple consecutive leading spaces can lead to a memmove() of out of bounds memory in ldb_handler_fold(). ldb_handler_fold() is used by case insensitive strings - that is most string attributes - in Active Directory. As the search expression is normalised prior to matching any potential objects this in turn may crash the LDAP server process handling the request. It may be possible to leak the out of bounds memory by matching against it, but this is thought to be unlikely.
https://www.samba.org/samba/security/CVE-2021-20277.html https://bugzilla.samba.org/show_bug.cgi?id=14655 https://www.samba.org/samba/ftp/patches/security/samba-4.14.0-security-2021-03-24.patch https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=1d966cb12e7882f9cfb230195e4eff3de0f4e135 https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=50e44877c3df8098658bd4b1fdad25b8aaadf6f3 https://git.samba.org/samba.git/?p=samba.git;a=commitdiff;h=fab6b79b7724f0b636963be528483e3e946884aa
Workaround ========== To disable the LDAP server set 'server services = -ldap' in the smb.conf and restart Samba. This will substantially reduce the utility of the AD DC.