=========================================================== == Subject: Subsequent DCE/RPC fragment injection vulnerability == (AD DC concern) == == CVE ID#: CVE-2021-23192 == == Versions: Samba 4.0.0 and later. == == Summary: If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassign the signature requirements. =========================================================== =========== Description =========== Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. Hoever in the Samba AD DC in particular Samba and servers working with Samba may exchange large DCE/RPC payloads directly over TCP/IP, protected with GSSAPI/Kerberos for DRS replication - replication of the AD users and their passwords. Because the checks on the fragment protection were not done between the policy controls on the header and the subsequent fragments, an attacker could replace subseuqnet fragments in requests or replies with their own data. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8) ========== Workaround ========== Setting "dcesrv:max auth states=0" in the smb.conf will provide some mitigation against this issue. ======= Credits ======= Originally reported by Stefan Metzmacher of SerNet Patches provided by Stefan Metzmacher of SerNet and the Samba Team. Advisory by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================