1851298 – (CVE-2020-14303) CVE-2020-14303 samba: Empty UDP packet DoS in Samba AD DC nbtd

Bug 1851298 (CVE-2020-14303) - CVE-2020-14303 samba: Empty UDP packet DoS in Samba AD DC nbtd

Summary: CVE-2020-14303 samba: Empty UDP packet DoS in Samba AD DC nbtd

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2020-14303
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1853259
Blocks:	1849490
TreeView+	depends on / blocked

Reported:	2020-06-26 04:44 UTC by Huzaifa S. Sidhpurwala
Modified:	2021-02-16 19:45 UTC (History)
CC List:	17 users (show)
Fixed In Version:	samba 4.10.17, samba 4.11.11, samba 4.12.4
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the AD DC NBT server in Samba. A samba user could send empty UDP packet to cause the samba server to crash.
Clone Of:
Environment:
Last Closed:	2020-07-02 09:38:06 UTC
Embargoed:

Attachments	(Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-06-26 04:44:42 UTC

As per upstream advisory:

The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137.

The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received.  The client for this case is only found in the AD DC side of the codebase, not that used by the the member server or file server.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-26 04:44:46 UTC

Acknowledgments:

Name: the Samba project
Upstream: Martin von Wittich (IServ GmbH), Wilko Meyer (IServ GmbH)

Comment 2 Huzaifa S. Sidhpurwala 2020-06-26 04:46:01 UTC

Mitigation:

The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137.

The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received.  The client for this case is only found in the AD DC side of the codebase, not that used by the the member server or file server.

Comment 3 Huzaifa S. Sidhpurwala 2020-07-02 09:35:41 UTC

External References:

https://www.samba.org/samba/security/CVE-2020-14303.html

Comment 4 Huzaifa S. Sidhpurwala 2020-07-02 09:37:12 UTC

Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1853259]

Comment 5 Hardik Vyas 2020-07-02 11:52:28 UTC

Upstream patch: https://github.com/samba-team/samba/commit/3cc0f1eeda5f133532dda31eef9fc1b394127e50

Comment 6 Hardik Vyas 2020-07-02 11:52:38 UTC

Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage 3 because there is no support for samba as Active Directory Domain Controller.

Note You need to log in before you can comment on or make changes to this bug.