Headline
CVE-2019-14861: Samba - Security Announcement Archive
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.
CVE-2019-14861.html:
=========================================================== == Subject: Samba AD DC zone-named record Denial of == Service in DNS management server (dnsserver) == == CVE ID#: CVE-2019-14861 == == Versions: All Samba versions since Samba 4.0 == == Summary: An authenticated user can crash the DCE/RPC DNS == management server by creating records with matching == the zone name ===========================================================
=========== Description ===========
The (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones.
Samba, when acting as an AD DC, stores DNS records in LDAP.
In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS.
If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3)
========== Workaround ==========
The dnsserver task can be stopped by setting ‘dcerpc endpoint servers = -dnsserver’ in the smb.conf and restarting Samba.
======= Credits =======
Originally reported by Andreas Oster.
Patches provided by Andrew Bartlett of the Samba Team and Catalyst. Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.