====================================================================
== Subject:     Unprivileged adding of CNAME record causing loop
==              in AD Internal DNS server
==
== CVE ID#:     CVE-2018-14629
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     CNAME loops can cause DNS server crashes, and CNAMEs
==              can be added by unprivileged users.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.7.12, 4.8.7, and 4.9.3 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The Samba AD DC can be configured to use BIND9 for DNS.

This is done by running 
 samba_upgradedns --dns-backend=BIND9_DLZ
and then disabling the 'dns' service in the smb.conf (eg 'server services =
-dns)

=======
Credits
=======

The initial bug was found by Florian Stülpner 

Aaron Haslett of Catalyst did the investigation and wrote the patch.