==================================================================== CERT-Renater Note d'Information No. 2019/VULN394 _____________________________________________________________________ DATE : 10/12/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S):Systems running Samba version. ===================================================================== https://www.samba.org/samba/security/CVE-2019-14861.html https://www.samba.org/samba/security/CVE-2019-14870.html _____________________________________________________________________ CVE-2019-14861.html =========================================================== == Subject: Samba AD DC zone-named record Denial of == Service in DNS management server (dnsserver) == == CVE ID#: CVE-2019-14861 == == Versions: All Samba versions since Samba 4.0 == == Summary: An authenticated user can crash the DCE/RPC DNS == management server by creating records with matching == the zone name =========================================================== =========== Description =========== The (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3) ========== Workaround ========== The dnsserver task can be stopped by setting 'dcerpc endpoint servers = -dnsserver' in the smb.conf and restarting Samba. ======= Credits ======= Originally reported by Andreas Oster. Patches provided by Andrew Bartlett of the Samba Team and Catalyst. Advisory written by Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2019-14870.html =========================================================== == Subject: DelegationNotAllowed not being enforced == in protocol transition on Samba AD DC. == == CVE ID#: CVE-2019-14870 == == Versions: All Samba versions since Samba 4.0 == == Summary: The DelegationNotAllowed Kerberos feature restriction == was not being applied when processing protocol == transition requests (S4U2Self), in the AD DC KDC. =========================================================== =========== Description =========== The S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set. Note: while the experimental MIT AD-DC build does not support S4U, it should still be patched due to a related bug in regular authentication. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N ========================= Workaround and mitigation ========================= Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection. Therefore most Samba sites will not have been using this feature and so are not impacted either way. ======= Credits ======= Originally reported by Isaac Boukris of Red Hat and the Samba Team. Patches provided by Isaac Boukris of Red Hat and the Samba Team. Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of Red Hat and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================