===========================================================
== Subject:     Samba AD DC Denial of Service in DNS management server (dnsserver)
==
== CVE ID#:     
==
== Versions:    All versions of the Samba AD DC (that is Samba 4.0 and later)
==
== Summary:     An authenticated user can crash the Samba AD DC's
                RPC server process via a NULL pointer de-reference.

===========================================================

===========
Description
===========

The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.

An authenticated user can crash the RPC server process via a
NULL pointer de-reference.

There is no further vulnerability associated with this issue, merely a
denial of service.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The dnsserver task can be stopped by setting 
 'dcerpc endpoint servers = -dnsserver'
in the smb.conf and restarting Samba. 

=======
Credits
=======

Originally reported by Coverity as CID, and triaged by 
Douglas Bagnall of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================