=========================================================== == Subject: Remote memory read in Samba LDAP server. == == CVE ID#: CVE-2015-5330 == == Versions: Samba 4.0.0 to 4.3.2 == == Summary: Malicious request can cause Samba LDAP server == to return uninitialized memory that should not == be part of the reply. == =========================================================== =========== Description =========== All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a remote memory read attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to return heap memory beyond the length of the requested value. This memory may contain data that the client should not be allowed to see, allowing compromise of the server. The memory may either be returned to the client in an error string, or stored in the database by a suitabily privileged user. If untrusted users can create objects in your database, please confirm that all DN and name attributes are reasonable. (A script to assist in this search will be put in the wiki or bugzilla). ================== Patch Availability ================== Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 (resp. ldb 1.1.24) have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by Douglas Bagnall <douglas.bagnall@catalyst.net.nz> of Catalyst (www.catalyst.net.nz), who also provided the fix.