Red Hat Bugzilla – Bug 1101988
CVE-2014-0239 samba: potential DoS in the internal DNS server
Last modified: 2015-07-31 03:20:56 EDT
It was reported [1] that Samba versions 4.0.0 and above have a flaw in DNS protocol handling in the internal DNS server. The server will not check the "reply" flag in the DNS packet header when processing a request. That makes it vulnerable to reply to a spoofed reply packet with another reply. Two affected servers could thus DOS each other [1]: http://www.samba.org/samba/security/CVE-2014-0239 Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba version 4.0.18 includes a patch for this issue. To workaround this issue, use the BIND_DLZ DNS backend.
Additional info: The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103.
Please note that there are no versions of Samba in Fedora or RHEL 6 (or RHEL 7 Release candidate) that allow to utilize internal DNS server in Samba 4. The default build is not supporting Samba AD DC functionality which is where the issue is.
Upstream commit: http://git.samba.org/?p=samba.git;a=commitdiff;h=392ec4d241eb19c812cd49ff73bd32b2b09d8533
External References: http://www.samba.org/samba/security/CVE-2014-0239
Statement: Not vulnerable. This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 5 and 6. This issue does not affect the version of samba3x as shipped with Red Hat Enterprise Linux 5. This issue does not affect the version of samba4 as shipped with Red Hat Enterprise Linux 6.
This issue does not affect the version of samba as shipped with Fedora 19 and Fedora 20.