===========================================================
== Subject:     Parsing and packing of NBT and DNS packets
==              can consume excessive CPU
==
== CVE ID#:     CVE-2020-10745
==
== Versions:    All Samba versions since 3.4.0
==
== Summary:     Compression of replies to NetBIOS over TCP/IP
==              name resolution and DNS packets (which can be
==              supplied as UDP requests) can be abused to
==              consume excessive amounts of CPU
===========================================================

===========
Description
===========

The NetBIOS over TCP/IP name resolution protocol is framed using the
same format as DNS, and Samba's packing code for both uses DNS name
compression.

An attacker can choose a name which, when the name is included in the
reply, causes the DNS name compression algorithm to walk a very long
internal list while trying to compress the reply.  This in in part
because the traditional "." seperator in DNS is not actually part of
the DNS protocol, the limit of 255 components is exceeded by including
"." inside the components.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11, and 4.12.5 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

==========
Workaround
==========

The DNS server (port 53) is only provided when Samba runs as an Active
Directory DC.  The NBT server (port 139) is provided by nmbd in the
file-server configuration, which is not needed unless SMBv1 is in
use.  In the AD DC, the NBT server can be disabled with
'disable netbios = yes'.

=======
Credits
=======

Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and
the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba team.

Advisory written by Andrew Bartlett of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================