The Samba-Bugzilla – Attachment 15649 Details for
Bug 14138
CVE-2019-14861 [SECURITY] DNSServer RPC server crash
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
draft security advisory v4
CVE-2019-14861-dnsserver-advisory-04.txt (text/plain), 2.16 KB, created by
Karolin Seeger
on 2019-11-29 11:01:25 UTC
(
hide
)
Description:
draft security advisory v4
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2019-11-29 11:01:25 UTC
Size:
2.16 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC zone-named record Denial of >== Service in DNS management server (dnsserver) >== >== CVE ID#: CVE-2019-14861 >== >== Versions: All Samba versions since Samba 4.0 >== >== Summary: An authenticated user can crash the DCE/RPC DNS >== management server by creating records with matching >== the zone name >=========================================================== > >=========== >Description >=========== > >The (poorly named) dnsserver RPC pipe provides administrative >facilities to modify DNS records and zones. > >Samba, when acting as an AD DC, stores DNS records in LDAP. > >In AD, the default permissions on the DNS partition allow creation of >new records by authenticated users. This is used for example to allow >machines to self-register in DNS. > >If a DNS record was created that case-insensitively matched the name >of the zone, the ldb_qsort() and dns_name_compare() routines could be >confused into reading memory prior to the list of DNS entries when >responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so >following invalid memory as a pointer. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3) > >========== >Workaround >========== > >The dnsserver task can be stopped by setting > 'dcerpc endpoint servers = -dnsserver' >in the smb.conf and restarting Samba. > >======= >Credits >======= > >Originally reported by Andreas Oster. > >Patches provided by Andrew Bartlett of the Samba Team and Catalyst. >Advisory written by Andrew Bartlett of the Samba Team and Catalyst. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
kseeger
:
review+
Actions:
View
Attachments on
bug 14138
:
15560
|
15574
|
15579
|
15580
|
15581
|
15582
|
15583
|
15584
|
15590
|
15591
|
15595
|
15596
|
15597
|
15598
|
15647
| 15649 |
15674