The Samba-Bugzilla – Attachment 16053 Details for
Bug 14378
CVE-2020-10745 [SECURITY] invalid DNS or NBT queries containing dots use several seconds of CPU each
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3 with speculative release versions
CVE-2020-10745-nbt-dns-spin-v3.txt (text/plain), 2.80 KB, created by
Andrew Bartlett
on 2020-06-16 23:25:53 UTC
(
hide
)
Description:
Advisory v3 with speculative release versions
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-06-16 23:25:53 UTC
Size:
2.80 KB
patch
obsolete
>=========================================================== >== Subject: Parsing and packing of NBT and DNS packets >== can consume excessive CPU >== >== CVE ID#: CVE-2020-10745 >== >== Versions: All Samba versions since 3.4.0 >== >== Summary: Compression of replies to NetBIOS over TCP/IP >== name resolution and DNS packets (which can be >== supplied as UDP requests) can be abused to >== consume excessive amounts of CPU >=========================================================== > >=========== >Description >=========== > >The NetBIOS over TCP/IP name resolution protocol is framed using the >same format as DNS, and Samba's packing code for both uses DNS name >compression. > >An attacker can choose a name which, when the name is included in the >reply, causes the DNS name compression algorithm to walk a very long >internal list while trying to compress the reply. This in in part >because the traditional "." separator in DNS is not actually part of >the DNS protocol, the limit of 128 components is exceeded by including >"." inside the components. > >Specifically, the longest label is 63 characters, and Samba enforces a >limit of 128 components. That means you can make a query for the >address with 127 components, each of which is >"...............................................................". > >In processing that query, Samba rewrites the name in dot-separated >form, then converts it back to the wire format in order to >reply. Unfortunately for Samba, it now finds the name is just 8127 >dots, which it duly converts into over 8127 zero length labels. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.10.17, 4.11.11, and 4.12.5 have been issued as >security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon as >possible. > >================== >CVSSv3 calculation >================== > >CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) > >========== >Workaround >========== > >The DNS server (port 53) is only provided when Samba runs as an Active >Directory DC. The NBT server (port 139) is provided by nmbd in the >file-server configuration, which is not needed unless SMBv1 is in >use. In the AD DC, the NBT server can be disabled with >'disable netbios = yes'. > >======= >Credits >======= > >Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and >the Samba Team. > >Patches provided by Douglas Bagnall of Catalyst and the Samba team. > >Advisory written by Andrew Bartlett and Douglas Bagnall of Catalyst >and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
gary
:
review+
Actions:
View
Attachments on
bug 14378
:
15978
|
15982
|
15999
|
16000
|
16001
|
16015
|
16016
|
16034
|
16035
|
16036
|
16037
|
16038
|
16039
|
16040
|
16041
|
16042
|
16045
|
16046
|
16047
|
16048
|
16049
|
16050
|
16051
|
16052
|
16053
|
16057
|
16068
|
16090
|
16093
|
16099