Bug 2241884 (CVE-2023-42669)

Summary: CVE-2023-42669 samba: "rpcecho" development server allows denial of service via sleep() call on AD DC
Product: [Other] Security Response Reporter: TEJ RATHI <trathi>
Component: vulnerabilityAssignee: Product Security <prodsec-ir-bot>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: nobody, pfilipen, rhs-smb, security-response-team, stefano.biagiotti
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.19.1, samba 4.18.8, samba 4.17.12 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2241916, 2243229    
Bug Blocks: 2228383    

Description TEJ RATHI 2023-10-03 07:34:37 UTC 
Calls to the rpcecho server on the AD DC can request that the server block for a user-defined amount of time, denying service. One RPC function provided by "rpcecho" can block, essentially indefinitely, and because the "rpcecho" service is provided from the main RPC task, which has only one worker, this denies essentially all service on the AD DC.

https://bugzilla.samba.org/show_bug.cgi?id=15474
Comment 2 TEJ RATHI 2023-10-11 10:43:33 UTC 
This CVE is now Public:
https://www.samba.org/samba/security/CVE-2023-42669.html
Comment 3 TEJ RATHI 2023-10-11 10:46:02 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2243229]
Comment 4 errata-xmlrpc 2023-10-31 10:05:14 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Extended Update Support

Via RHSA-2023:6209 https://access.redhat.com/errata/RHSA-2023:6209
Comment 5 errata-xmlrpc 2023-11-07 10:08:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6744 https://access.redhat.com/errata/RHSA-2023:6744
Comment 6 errata-xmlrpc 2023-11-21 11:17:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Extended Update Support

Via RHSA-2023:7371 https://access.redhat.com/errata/RHSA-2023:7371
Comment 7 errata-xmlrpc 2023-11-21 11:42:38 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2023:7408 https://access.redhat.com/errata/RHSA-2023:7408
Comment 8 errata-xmlrpc 2023-11-22 17:27:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2023:7464 https://access.redhat.com/errata/RHSA-2023:7464
Comment 9 errata-xmlrpc 2023-11-22 17:29:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:7467 https://access.redhat.com/errata/RHSA-2023:7467