Bug 1101988 (CVE-2014-0239)

Summary: CVE-2014-0239 samba: potential DoS in the internal DNS server
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: abokovoy, asn, gdeschner, sbose, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.0.18 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-05-29 06:29:50 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1102108    

Description Vasyl Kaigorodov 2014-05-28 10:03:53 UTC 
It was reported [1] that Samba versions 4.0.0 and above have a flaw in DNS protocol handling in the internal DNS server. The server will not check the "reply" flag in the DNS packet header when processing a request. That makes it vulnerable to reply to a spoofed reply packet with another reply. Two affected servers could thus DOS each other

[1]: http://www.samba.org/samba/security/CVE-2014-0239

Patches addressing this issue have been posted to:

    http://www.samba.org/samba/security/

Samba version 4.0.18 includes a patch for this issue.

To workaround this issue, use the BIND_DLZ DNS backend.
Comment 1 Vasyl Kaigorodov 2014-05-28 10:05:38 UTC 
Additional info:

The internal DNS server in Samba 4.x before 4.0.18 does not check the
QR field in the header section of an incoming DNS message before
sending a response, which allows remote attackers to cause a denial of
service (CPU and bandwidth consumption) via a forged response packet
that triggers a communication loop, a related issue to CVE-1999-0103.
Comment 2 Alexander Bokovoy 2014-05-28 10:20:28 UTC 
Please note that there are no versions of Samba in Fedora or RHEL 6 (or RHEL 7 Release candidate) that allow to utilize internal DNS server in Samba 4. The default build is not supporting Samba AD DC functionality which is where the issue is.
Comment 3 Tomas Hoger 2014-05-28 11:04:40 UTC 
Upstream commit:
http://git.samba.org/?p=samba.git;a=commitdiff;h=392ec4d241eb19c812cd49ff73bd32b2b09d8533
Comment 4 Vasyl Kaigorodov 2014-05-28 14:01:15 UTC 
External References:

http://www.samba.org/samba/security/CVE-2014-0239
Comment 5 Huzaifa S. Sidhpurwala 2014-05-29 06:28:42 UTC 
Statement:

Not vulnerable. This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of samba4 as shipped with Red Hat Enterprise Linux 6.
Comment 6 Huzaifa S. Sidhpurwala 2014-05-29 06:29:50 UTC 
This issue does not affect the version of samba as shipped with Fedora 19 and Fedora 20.