==================================================================== CERT-Renater Note d'Information No. 2020/VULN383 _____________________________________________________________________ DATE : 09/07/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.10.17, 4.11.11, 4.12.4. ===================================================================== https://www.samba.org/samba/security/CVE-2020-14303.html https://www.samba.org/samba/security/CVE-2020-10760.html https://www.samba.org/samba/security/CVE-2020-10745.html https://www.samba.org/samba/security/CVE-2020-10730.html _____________________________________________________________________ CVE-2020-14303.html =========================================================== == Subject: Empty UDP packet DoS in Samba AD DC nbtd == == CVE ID#: CVE-2020-14303 == == Versions: All Samba versions since Samba 4.0.0 == == Summary: The AD DC NBT server in Samba 4.0 will enter a == CPU spin and not process further requests == once it receives a empty (zero-length) UDP == packet to port 137. =========================================================== =========== Description =========== The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137. The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received. The client for this case is only found in the AD DC side of the codebase, not that used by the the member server or file server. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========================= Workaround and mitigation ========================= The NBT server (UDP port 137) is provided by nmbd in the file-server configuration, which is not impacted by this issue. In the AD DC, the NBT server can be disabled with 'disable netbios = yes'. ======= Credits ======= Originally reported by Martin von Wittich and Wilko Meyer of IServ GmbH. Patches provided by Gary Lockyer of Catalyst and the Samba Team. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ________________________________________________________________ CVE-2020-10760.html =========================================================== == Subject: LDAP Use-after-free in Samba AD DC Global Catalog with == paged_results and VLV == == CVE ID#: CVE-2020-10760 == == Versions: All versions of Samba since Samba 4.5.0 == == Summary: The use of the paged_results or VLV controls against == the Global Catalog LDAP server on the AD DC will cause == a use-after-free. =========================================================== =========== Description =========== Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the paged_results control using similar code. This code is more memory-efficient, storing only a pointer to the object, not the returned object. However this means parts of the original request must be retained When these controls are used by a client that connects to the Global Catalog server, these modules failed to correctly retain the control data along with the request, causing a use-after-free and an abort when this is detected by the talloc library. NOTE WELL: Unsupported Samba versions before Samba 4.7 use a single process for the LDAP servers. All versions of Samba after Samba 4.11 use the 'prefork' process model to create a shared connection pool. Crashing servers are restarted, but service is disrupted. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ================================ Workaround and mitigating factors ================================ By default, Samba 4.10 is run using the "standard" process model which is one-process-per-client. (Later versions use 'prefork'). This is controlled by the -M or --model parameter to the samba binary. All Samba versions are impacted if -M prefork or -M single is used. To mitigate this issue, select -M standard (however this will use more memory, and may cause resource exhaustion). ======= Credits ======= Originally reported by Andrei Popa and another anonymous reporter. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ___________________________________________________________________ CVE-2020-10745.html =========================================================== == Subject: Parsing and packing of NBT and DNS packets == can consume excessive CPU in the AD DC (only) == == CVE ID#: CVE-2020-10745 == == Versions: All Samba versions since 4.0.0 == == Summary: Compression of replies to NetBIOS over TCP/IP == name resolution and DNS packets (which can be == supplied as UDP requests) can be abused to == consume excessive amounts of CPU on the Samba == AD DC (only). == =========================================================== =========== Description =========== The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very long internal list while trying to compress the reply. This in in part because the traditional "." separator in DNS is not actually part of the DNS protocol, the limit of 128 components is exceeded by including "." inside the components. Specifically, the longest label is 63 characters, and Samba enforces a limit of 128 components. That means you can make a query for the address with 127 components, each of which is "...............................................................". In processing that query, Samba rewrites the name in dot-separated form, then converts it back to the wire format in order to reply. Unfortunately for Samba, it now finds the name is just 8127 dots, which it duly converts into over 8127 zero length labels. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========== Workaround ========== The vulnerable DNS server (port 53) and NBT server (port 139) is only provided when Samba runs as an Active Directory DC. The implementation provided by nmbd in the file-server configuration is not subject to this issue. In the AD DC, the NBT server can be disabled with 'disable netbios = yes'. ======= Credits ======= Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and the Samba Team. Patches provided by Douglas Bagnall of Catalyst and the Samba Team. Advisory written by Andrew Bartlett and Douglas Bagnall of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ___________________________________________________________________ CVE-2020-10730.html =========================================================== == Subject: NULL pointer de-reference and use-after-free == in Samba AD DC LDAP Server with ASQ, VLV and == paged_results == == CVE ID#: CVE-2020-10730 == == Versions: Samba 4.5.0 and later == == Summary: A client combining the 'ASQ' and 'VLV' LDAP == controls can cause a NULL pointer de-reference and == further combinations with the LDAP paged_results == feature can give a use-after-free in Samba's AD DC == LDAP server. =========================================================== =========== Description =========== Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to trigger a NULL-pointer de-reference. It is also possible to trigger a use-after-free, both as the code is very similar to that addressed by CVE-2020-10700 and due to the way errors are handled in the dsdb_paged_results module since Samba 4.10. ================== Patch Availability ================== Patches addressing both of these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.11 and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:v3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ========================= Workaround and mitigation ========================= None. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Andrew Bartlett and Gary Lockyer of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================