CVE-2019-19344: Samba - Security Announcement Archive

CVE-2019-19344.html:

=========================================================== == Subject: Use after free during DNS zone scavenging == in Samba AD DC == == CVE ID#: CVE-2019-19344 == == Versions: Samba 4.9 and later versions == == Summary: During DNS zone scavenging (of expired dynamic == entries) there is a read of memory after it has == been freed. ===========================================================

=========== Description ===========

Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time.

This feature is controlled by the smb.conf option: dns zone scavenging = yes

There is a use-after-free issue in this code, essentially due to a call to realloc() while other local variables still point at the original buffer.

The use is a read, but in quite unlikely conditions (due to NDR validation unpacking the buffer) that read memory might be saved back into the DB.

================== Patch Availability ==================

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

================== CVSSv3 calculation ==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

========== Workaround ==========

The code in question is not run in the default configuration, so the workaround is simply to not set dns zone scavenging = yes

======= Credits =======

Originally reported by Christian Naumer.

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================