CVE Vulnerabilities

CVE-2018-16841

Use After Free

Published: Nov 28, 2018 | Modified: Nov 21, 2024
CVSS 3.x
6.5
MEDIUM
Source:
NVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
CVSS 2.x
4 MEDIUM
AV:N/AC:L/Au:S/C:N/I:N/A:P
RedHat/V2
RedHat/V3
5.7 MODERATE
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H
Ubuntu
MEDIUM

Samba from version 4.3.0 and before versions 4.7.12, 4.8.7 and 4.9.3 are vulnerable to a denial of service. When configured to accept smart-card authentication, Sambas KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.

Weakness

The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory “belongs” to the code that operates on the new pointer.

Affected Software

Name Vendor Start Version End Version
Samba Samba 4.3.0 (including) 4.7.12 (excluding)
Samba Samba 4.8.0 (including) 4.8.7 (excluding)
Samba Samba 4.9.0 (including) 4.9.3 (excluding)
Samba Ubuntu bionic *
Samba Ubuntu cosmic *
Samba Ubuntu devel *
Samba Ubuntu esm-infra-legacy/trusty *
Samba Ubuntu esm-infra/bionic *
Samba Ubuntu esm-infra/xenial *
Samba Ubuntu trusty *
Samba Ubuntu trusty/esm *
Samba Ubuntu upstream *
Samba Ubuntu xenial *

Potential Mitigations

References