The Samba-Bugzilla – Attachment 16923 Details for
Bug 14875
CVE-2021-23192 [SECURITY] dcerpc requests don't check all fragments against the first auth_state
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory text (v05)
CVE-2021-23192-description-v5.txt (text/plain), 3.02 KB, created by
Andrew Bartlett
on 2021-11-02 20:05:36 UTC
(
hide
)
Description:
advisory text (v05)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2021-11-02 20:05:36 UTC
Size:
3.02 KB
patch
obsolete
>==================================================================== >== Subject: Subsequent DCE/RPC fragment injection vulnerability >== >== CVE ID#: CVE-2021-23192 >== >== Versions: Samba 4.10.0 and later. >== >== Summary: If a client to a Samba server sent a very large > DCE/RPC request, and chose to fragment it, an > attacker could replace later fragments with > their own data, bypassign the signature requirements. >===================================================================== > >=========== >Description >=========== > >Samba implements DCE/RPC, and in most cases it is provided over and >protected by the underlying SMB transport, with protections like 'SMB >signing'. > >However there are other cases where large DCE/RPC request payloads are exchanged >and fragmented into several pieces. If this happens over untrusted transports >(e.g. directly over TCP/IP or anonymous SMB) clients will typically >protect by an explicit authentication at the DCE/RPC layer, e.g. with >GSSAPI/Kerberos/NTLMSSP or Netlogn Secure Channel. > >Because the checks on the fragment protection were not done between >the policy controls on the header and the subsequent fragments, an attacker >could replace subsequent fragments in requests with their own data, which >might be able to alter the server behaviour. > >DCE/RPC is a core component of all Samba servers, but we are most >concerned about Samba as a Domain Controller, given the role as a >centrally trusted service. > >As active directory domain controller this issue affects Samba versions greather >or equal to 4.10.0. > >As NT4 classic domain controller, domain member or standalone server >this issue affects Samba versions greather or equal to 4.13.0. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8) > >========== >Workaround >========== > >Setting "dcesrv:max auth states=0" in the smb.conf will provide >some mitigation against this issue. > >There are no known problems with this change as >NT4 classic domain controller, domain member or standalone server. > >But it disables "Security Context Multiplexing" and may reopens >https://bugzilla.samba.org/show_bug.cgi?id=11892. >which means domain members running things like Cisco ISE or >VMWare View may no longer work. This applies only to >active directory domain controllers. > >======= >Credits >======= > >Originally reported by Stefan Metzmacher of SerNet > >Patches provided by Stefan Metzmacher of SerNet and the Samba Team. >Advisory by Andrew Bartlett of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review+
Actions:
View
Attachments on
bug 14875
:
16887
|
16888
|
16889
|
16901
|
16913
|
16915
|
16919
|
16920
|
16923
|
16928
|
16929
|
16960
|
16962
|
16968
|
16974