Bug 1892636 (CVE-2020-14383) - CVE-2020-14383 samba: An authenticated user can crash the DCE/RPC DNS with easily crafted records
Summary: CVE-2020-14383 samba: An authenticated user can crash the DCE/RPC DNS with ea...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-14383
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1892638 1892639 1892640
Blocks: 1891686
TreeView+ depends on / blocked
 
Reported: 2020-10-29 11:16 UTC by Huzaifa S. Sidhpurwala
Modified: 2021-02-16 19:00 UTC (History)
15 users (show)

Fixed In Version: samba 4.11.15, samba 4.12.9, samba 4.13.1
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Samba's DNS server. This flaw allows an authenticated user to crash the RPC server. The RPC server, which also serves protocols other than the DNS server, is restarted after a short delay, however, an authenticated non-administrative attacker can cause a crash as soon as it returns. The Samba DNS server continues to operate, but many RPC services do not. The highest threat from this vulnerability is system availability.
Clone Of:
Environment:
Last Closed: 2020-12-24 07:02:03 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-10-29 11:16:11 UTC
As per upstream advisory:

Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay,
but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.

Comment 1 Huzaifa S. Sidhpurwala 2020-10-29 11:16:20 UTC
Acknowledgments:

Name: the Samba project
Upstream: Francis Brosnan Blázquez (ASPL.es)

Comment 2 Huzaifa S. Sidhpurwala 2020-10-29 11:16:26 UTC
External References:

https://www.samba.org/samba/security/CVE-2020-14383.html

Comment 3 Huzaifa S. Sidhpurwala 2020-10-29 11:16:36 UTC
Mitigation:

The dnsserver task can be stopped by setting

 'dcerpc endpoint servers = -dnsserver'

in the smb.conf and restarting Samba.

Comment 4 Huzaifa S. Sidhpurwala 2020-10-29 11:18:41 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1892640]

Comment 16 Huzaifa S. Sidhpurwala 2020-12-24 07:01:13 UTC
Statement:

This issue does not affect the version of samba as shipped with Red Hat Enterprise Linux 6, 7, 8 and Red Hat Gluster Storage 3 as it does not include support for Active Directory Domain Controller.


Note You need to log in before you can comment on or make changes to this bug.