Bug 1778586 (CVE-2019-14861)

Summary: CVE-2019-14861 samba: An authenticated user can crash the DCE/RPC DNS management server by creating records with matching the zone name
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, gdeschner, hvyas, iboukris, iboukris, jrivera, jstephen, lmohanty, madam, puebele, rhs-smb, sbose, security-response-team, sisharma, ssorce, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.11.3, samba 4.10.11, samba 4.9.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-17 02:09:23 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1781542    
Bug Blocks: 1778587    

Description Huzaifa S. Sidhpurwala 2019-12-02 05:28:11 UTC
As per upstream advisory:

The (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones.

Samba, when acting as an AD DC, stores DNS records in LDAP.

In AD, the default permissions on the DNS partition allow creation of new records by authenticated users.  This is used for example to allow machines to self-register in DNS.

If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.

Comment 1 Huzaifa S. Sidhpurwala 2019-12-02 05:28:16 UTC
Acknowledgments:

Name: the Samba project
Upstream: Andreas Oster

Comment 2 Huzaifa S. Sidhpurwala 2019-12-02 05:29:22 UTC
Mitigation:

The dnsserver task can be stopped by setting 
~~~
 'dcerpc endpoint servers = -dnsserver'
~~~
in the smb.conf and restarting Samba.

Comment 3 Huzaifa S. Sidhpurwala 2019-12-02 15:28:42 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.

Comment 4 Huzaifa S. Sidhpurwala 2019-12-10 09:02:27 UTC
External References:

https://www.samba.org/samba/security/CVE-2019-14861.html

Comment 5 Huzaifa S. Sidhpurwala 2019-12-10 09:03:01 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1781542]

Comment 6 Product Security DevOps Team 2019-12-17 02:09:23 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14861