Samba from version 4.3.0 and before versions 4.7.12, 4.8.7 and 4.9.3 are vulnerable to a denial of service. When configured to accept smart-card authentication, Sambas KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process.
The product calls free() twice on the same memory address, potentially leading to modification of unexpected memory locations.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Samba | Samba | 4.3.0 (including) | 4.7.12 (excluding) |
| Samba | Samba | 4.8.0 (including) | 4.8.7 (excluding) |
| Samba | Samba | 4.9.0 (including) | 4.9.3 (excluding) |
| Samba | Ubuntu | bionic | * |
| Samba | Ubuntu | cosmic | * |
| Samba | Ubuntu | devel | * |
| Samba | Ubuntu | trusty | * |
| Samba | Ubuntu | upstream | * |
| Samba | Ubuntu | xenial | * |