Opened 5 years ago

Closed 5 years ago

#12177 closed enhancement (fixed)

samba-4.10.5

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 9.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (4)

comment:1 by Douglas R. Reno, 5 years ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Bruce Dubbs, 5 years ago

Milestone: 8.59.0

Milestone renamed

comment:3 by Douglas R. Reno, 5 years ago

Priority: normalhigh

Release notes:

                   ==============================
                   Release Notes for Samba 4.10.5
                           June 19, 2019
                   ==============================


This is a security release in order to address the following defects:

o  CVE-2019-12435 (Samba AD DC Denial of Service in DNS management server
                  (dnsserver))
o  CVE-2019-12436 (Samba AD DC LDAP server crash (paged searches))

=======
Details
=======

o  CVE-2019-12435:
   An authenticated user can crash the Samba AD DC's RPC server process via a
   NULL pointer dereference.

o  CVE-2019-12436:
    An user with read access to the directory can cause a NULL pointer
    dereference using the paged search control.

For more details and workarounds, please refer to the security advisories.


Changes since 4.10.4:
---------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 13922: CVE-2019-12435 rpc/dns: Avoid NULL deference if zone not found
     in DnssrvOperation2.
   * BUG 13951: CVE-2019-12436 dsdb/paged_results: Ignore successful results
     without messages.

CVE-2019-12435 ADVISORY

CVE-2019-12435.html

===========================================================
== Subject:     Samba AD DC Denial of Service in DNS management server (dnsserver)
==
== CVE ID#:     CVE-2019-12435
==
== Versions:    Samba 4.9 and 4.10
==
== Summary:     An authenticated user can crash the Samba AD DC's
                RPC server process via a NULL pointer de-reference.

===========================================================

===========
Description
===========

The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.

An authenticated user can crash the RPC server process via a NULL
pointer de-reference.

There is no further vulnerability associated with this issue, merely a
denial of service.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.9.9 and 4.10.5 have been issued as security
releases to correct the defect. Samba administrators are advised to
upgrade to these releases or apply the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The dnsserver task can be stopped by setting 
 'dcerpc endpoint servers = -dnsserver'
in the smb.conf and restarting Samba. 

=======
Credits
=======

Originally reported by Coverity as CID 1418127, and triaged by Douglas
Bagnall of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2019-12436 ADVISORY

CVE-2019-12436.html

===========================================================
== Subject:     Samba AD DC LDAP server crash (paged searches)
==
== CVE ID#:     CVE-2019-12436
==
== Versions:    All versions of Samba since Samba 4.10.0
==
== Summary:     A user with read access to the directory can
                cause a NULL pointer dereference using the
                paged search control.
===========================================================

===========
Description
===========

A user with read access to the LDAP server can crash the LDAP
server process.  Depending on the Samba version and the choice
of process model, this may crash only the user's own connection.

Specifically, while in Samba 4.10 the default is for one process per
connected client, site-specific configuration trigger can change
this.

Samba 4.10 also supports the 'prefork' process model and by
using the -M option to 'samba' and a 'single' process model.
Both of these share on process between multiple clients.

NOTE WELL: the original report on this issue to the Samba Team
suggested a correlation between this NULL pointer dereference with
access to the \\DC\homes share on an AD DC, including a persistent
service failure.  The Samba Team has been unable to corroborate this
failure mode, and has instead focused on addressing the original
issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.10.5 has been issued as a security release to
correct the defect.  Samba administrators are advised to upgrade to
this release or apply the patch as soon as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

Return to the default configuration by running 'samba' with -M 
standard, however this may consume more memory and would not address
the \\DC\homes issue.

=======
Credits
=======

Originally reported by Zombie Ryushu.

Patches provided by Douglas Bagnall of Catalyst and the Samba team.
Advisory written by Andrew Bartlett of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

comment:4 by Douglas R. Reno, 5 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r21767

Note: See TracTickets for help on using tickets.