Bug 1625449 (CVE-2018-14629)

Summary: CVE-2018-14629 samba: Unprivileged adding of CNAME record causing loop in AD LDAP server
Product: [Other] Security Response Reporter: Sam Fowler <sfowler>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abhgupta, abokovoy, anoopcs, asn, bmcclain, dbaker, dblechte, dfediuck, eedri, gdeschner, jarrpa, jokerman, jstephen, lmohanty, madam, mgoldboi, michal.skrivanek, rhs-smb, sankarshan, sbonazzo, sbose, security-response-team, sherold, sisharma, ssaha, ssorce, sthangav, trankin, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.7.12, samba 4.8.7, samba 4.9.3 Doc Type: If docs needed, set a value
Doc Text:
A denial of service vulnerability was discovered in Samba's LDAP server. A CNAME loop could lead to infinite recursion in the server. An unprivileged local attacker could create such an entry, leading to denial of service.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 10:37:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1654078    
Bug Blocks: 1625448    

Description Sam Fowler 2018-09-05 00:46:03 UTC 
All versions of Samba from 4.0.0 onwards are vulnerable infinite query recursion caused by CNAME loops.  Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue.
Comment 1 Sam Fowler 2018-09-05 00:46:05 UTC 
Acknowledgments:

Name: Andrew Bartlett (Catalyst and Samba Team)
Upstream: Florian Stülpner (HiperScan)
Comment 2 Doran Moppert 2018-09-05 04:17:04 UTC 
Upstream bug:

https://bugzilla.samba.org/show_bug.cgi?id=13600
Comment 3 Doran Moppert 2018-09-05 04:17:14 UTC 
Statement:

Samba 4 packages distributed with Red Hat Enterprise Linux are built without the AD DC functionality, where this flaw is present.  These packages are not affected by this vulnerability.
Comment 4 Sam Fowler 2018-11-28 01:51:03 UTC 
External Reference:

https://www.samba.org/samba/security/CVE-2018-14629.html
Comment 5 Sam Fowler 2018-11-28 01:51:37 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1654078]