== Subject:     Samba AD users can induce a use-after-free in the
==              server process with an LDAP add or modify request.
== CVE ID#:     CVE-2022-32746
== Versions:    All versions of Samba prior to 4.16.4
== Summary:     The AD DC database audit logging module can be made to
==              access LDAP message values that have been freed by a
==              preceding database module, resulting in a use-after-
==              free. This is only possible when modifying certain
==              privileged attributes, such as userAccountControl.


Some database modules make a shallow copy of an LDAP add/delete
message so they can make modifications to its elements without
affecting the original message. Each element in a message points to an
array of values, and these arrays are shared between the original
message and the copy.

The issue arises when a database module adds new values to an existing
array. A call to realloc() increases the array's size to accommodate
new elements, but at the same time, frees the old array. This leaves
the original message element with a dangling pointer to a now-freed
array. When the database audit logging module subsequently logs the
details of the original message, it will access this freed data,
generally resulting in corrupted log output or a crash.

The code paths susceptible to this issue are reachable when certain
specific attributes, such as userAccountControl, are added or
modified. These attributes are not editable by default without having
a privilege assigned, such as Write Property.

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)


Disabling AD DC database audit logging prevents the use-after-free
from occurring, as that is the only component that will access the
original message.


Initial report, patches, and this advisory by Joseph Sutton and Andrew
Bartlett of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team