Samba 4.9.x versions before 4.9.18 Use After Free Vulnerability

Summary

Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time. This feature is controlled by the smb.conf option:  dns zone scavenging = yes There is a use-after-free issue in this code, essentially due to a call to realloc() while other local variables still point at the original buffer. The use is a read, but in quite unlikely conditions (due to NDR validation unpacking the buffer) that read memory might be saved back into the DB.

Credit:

The information has been provided by Christian Naumer

The original article can be found at:https://www.samba.org/samba/security/CVE-2019-19344.html


Details

There is a use-after-free issue in all samba 4.9.x versions before 4.9.18, all samba 4.10.x versions before 4.10.12 and all samba 4.11.x versions before 4.11.5, essentially due to a call to realloc() while other local variables still point at the original buffer.

 

Vulnerable Systems:

Samba 4.9.x versions before 4.9.18

Samba 4.10.x versions before 4.10.12

Samba 4.11.x versions before 4.11.5

 

CVE Information:

CVE-2019-19344

 

Disclosure Timeline:
Published Date:1/21/2020

Categories: FeaturedNews