==================================================================== == Subject: Denial of Service Attack on AD DC DRSUAPI server == == CVE ID#: CVE-2018-XXXX == == Versions: All versions of Samba from 4.7.0 onwards. == == Summary: Missing null pointer checks may crash the Samba AD == DC, over the authenticated DRSUAPI RPC service. == ==================================================================== =========== Description =========== All versions of Samba from 4.7.0 onwards are vulnerable to a denial of service attack when Samba is an Active Directory Domain Controller. Missing database output checks on the returned directory attributes from the LDB database layer cause the DsCrackNames call in the DRSUAPI server to crash when following a NULL pointer. This call is only available after authentication. There is no further vulnerability associated with this error, merely a denial of service. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.8.4 and Samba 4.7.9 have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== No workaround is possible while acting as a Samba AD DC. ======= Credits ======= The issue was reported by Volker Mauel. Andrew Bartlett of Catalyst and the Samba Team provided the test and patches.