==================================================================== == Subject: Subsequent DCE/RPC fragment injection vulnerability == == CVE ID#: CVE-2021-23192 == == Versions: Samba 4.10.0 and later. == == Summary: If a client to a Samba server sent a very large DCE/RPC request, and chose to fragment it, an attacker could replace later fragments with their own data, bypassign the signature requirements. ===================================================================== =========== Description =========== Samba implements DCE/RPC, and in most cases it is provided over and protected by the underlying SMB transport, with protections like 'SMB signing'. However there are other cases where large DCE/RPC payloads are exchanged directly over TCP/IP protected with GSSAPI/Kerberos fragmented in several pieces. Because the checks on the fragment protection were not done between the policy controls on the header and the subsequent fragments, an attacker could replace subsequent fragments in requests with their own data, which might be able to alter the server behaviour. This issue affects Samba versions greather or equal to 4.10.0 when configured as AD DC, and Samba versions greather or equal to 4.13.0 when configured to provide RPC services over TCP/IP transport, for example: rpc_server:netlogon = disabled rpc_server:lsarpc = external rpc_server:samr = external rpc_daemon:lsasd = fork ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8) ========== Workaround ========== Setting "dcesrv:max auth states=0" in the smb.conf will provide some mitigation against this issue. But it disables "Security Context Multiplexing" and may reopens https://bugzilla.samba.org/show_bug.cgi?id=11892, which means domain members running things like Cisco ISE or VMWare View may no longer work. This applies only to active directory domain controllers. Note the related code was ported to the domain member and the legacy NT4/classic domain controller with Samba 4.12.0, but there are no known problems with "dcesrv:max auth states=0". ======= Credits ======= Originally reported by Stefan Metzmacher of SerNet Patches provided by Stefan Metzmacher of SerNet and the Samba Team. Advisory by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================