===========================================================
== Subject:     Samba AD DC RPC multiple listener DoS
==
== CVE ID#:     
==
== Versions:    All versions of Samba since Samba 4.16
==
== Summary:     Samba can be made to start multiple incompatible RPC
                listeners, disrupting service on the AD DC.
===========================================================

===========
Description
===========

Samba as an Active Directory DC operates RPC services from two
distinct parts of the codebase.  Those services focused on the AD DC
are started in the main "samba" process, while services focused on the
fileserver and NT4-like DC are started from the new samba-dcerpcd,
which is launched on-demand from the fileserver (smbd) tasks.

When starting, samba-dcerpcd must first confirm which services not to
provide, so as to avoid duplicate listeners.

The issue in this advisory is that, when Samba's RPC server is under
load, or otherwise not responding, the the servers NOT built for the
AD DC (eg build instead for the NT4-emulation "classic DCs") can be
started, and compete to listen on the same unix domain sockets.

This then results in some queries being answered by the AD DC, and
some not.  This has been seen in production at multiple sites, as "The
procedure number is out of range" when starting Active Directory Users
and Computers tool, however it can also be triggered maliciously, to
prevent service on the AD DC.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

Setting "rpc start on demand helpers = no" in the smb.conf will
disable the file-server based RPC servers entirely.  While used less
often, these services are required so this is not a long-term solution.

=======
Credits
=======

Originally reported by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================