The Samba-Bugzilla – Attachment 16919 Details for
Bug 14875
CVE-2021-23192 [SECURITY] dcerpc requests don't check all fragments against the first auth_state
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory text (v3)
CVE-2021-23192-description-v3.txt (text/plain), 2.83 KB, created by
Samuel Cabrero
on 2021-11-02 11:55:06 UTC
(
hide
)
Description:
Advisory text (v3)
Filename:
MIME Type:
Creator:
Samuel Cabrero
Created:
2021-11-02 11:55:06 UTC
Size:
2.83 KB
patch
obsolete
>==================================================================== >== Subject: Subsequent DCE/RPC fragment injection vulnerability >== >== CVE ID#: CVE-2021-23192 >== >== Versions: Samba 4.10.0 and later. >== >== Summary: If a client to a Samba server sent a very large > DCE/RPC request, and chose to fragment it, an > attacker could replace later fragments with > their own data, bypassign the signature requirements. >===================================================================== > >=========== >Description >=========== > >Samba implements DCE/RPC, and in most cases it is provided over and >protected by the underlying SMB transport, with protections like 'SMB >signing'. > >However there are other cases where large DCE/RPC payloads are exchanged >directly over TCP/IP protected with GSSAPI/Kerberos fragmented in several >pieces. Because the checks on the fragment protection were not done between >the policy controls on the header and the subsequent fragments, an attacker >could replace subsequent fragments in requests with their own data, which >might be able to alter the server behaviour. > >This issue affects Samba versions greather or equal to 4.10.0 when configured >as AD DC, and Samba versions greather or equal to 4.13.0 when configured to >provide RPC services over TCP/IP transport, for example: > >rpc_server:netlogon = disabled >rpc_server:lsarpc = external >rpc_server:samr = external >rpc_daemon:lsasd = fork > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8) > >========== >Workaround >========== > >Setting "dcesrv:max auth states=0" in the smb.conf will provide >some mitigation against this issue. > >But it disables "Security Context Multiplexing" and may reopens >https://bugzilla.samba.org/show_bug.cgi?id=11892, >which means domain members running things like Cisco ISE or >VMWare View may no longer work. This applies only to >active directory domain controllers. > >Note the related code was ported to the domain member >and the legacy NT4/classic domain controller with >Samba 4.12.0, but there are no known problems with >"dcesrv:max auth states=0". > >======= >Credits >======= > >Originally reported by Stefan Metzmacher of SerNet > >Patches provided by Stefan Metzmacher of SerNet and the Samba Team. >Advisory by Andrew Bartlett of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16919">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14875
:
16887
|
16888
|
16889
|
16901
|
16913
|
16915
|
16919
|
16920
|
16923
|
16928
|
16929
|
16960
|
16962
|
16968
|
16974