Bug 14258 - DNS scavenging will crash if dNSTombstoned is set to FALSE
Summary: DNS scavenging will crash if dNSTombstoned is set to FALSE
Status: RESOLVED FIXED
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.12.0rc1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-31 03:07 UTC by Andrew Bartlett
Modified: 2020-03-10 09:29 UTC (History)
5 users (show)

See Also:


Attachments
patch for master to fix this issue (with tests!) (5.52 KB, patch)
2020-01-31 03:10 UTC, Andrew Bartlett
no flags Details
patch for Samba 4.12 (cherry-picked from master patch) (6.05 KB, patch)
2020-02-20 22:38 UTC, Andrew Bartlett
abartlet: review? (gary)
metze: review+
Details
patch for Samba 4.11 (cherry-picked from master patch) (6.05 KB, patch)
2020-02-20 22:41 UTC, Andrew Bartlett
abartlet: review? (gary)
metze: review+
Details
patch for Samba 4.10 (cherry-picked from master patch) (6.05 KB, patch)
2020-02-20 22:41 UTC, Andrew Bartlett
abartlet: review? (gary)
metze: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2020-01-31 03:07:57 UTC
When DNS scavenging a record that has been deleted and then re-created, the objectclass_attrs module can crash while handling a record with dNSTombstoned: FALSE set.

Any user owning a DNS record can set this attribute, and so crash the kcc task on the Samba AD DC, if dns scavenging is enabled on the zone and globally.
Comment 1 Andrew Bartlett 2020-01-31 03:10:27 UTC
Created attachment 15758 [details]
patch for master to fix this issue (with tests!)

I would rather not make a security release for this, but this is uploaded here so we can consider what we should do.
Comment 2 Andrew Bartlett 2020-02-03 00:42:56 UTC
I've run the sums on this and I think it would score a:

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L (4.3)

We published a different number, but I think a more correct number for
CVE-2019-19344 was probably (5.4).

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L

In both cases Douglas reminds me that we can run for a very long time
without a KCC, which is why I've changed the availabilty impact to
'Low'.  I don't think we need a CVE this then (as a 4.3).

Therefore I'm removing the embargo.
Comment 3 Andrew Bartlett 2020-02-20 22:38:48 UTC
Created attachment 15803 [details]
patch for Samba 4.12 (cherry-picked from master patch)
Comment 4 Andrew Bartlett 2020-02-20 22:41:08 UTC
Created attachment 15804 [details]
patch for Samba 4.11 (cherry-picked from master patch)
Comment 5 Andrew Bartlett 2020-02-20 22:41:46 UTC
Created attachment 15805 [details]
patch for Samba 4.10 (cherry-picked from master patch)
Comment 6 Karolin Seeger 2020-02-26 10:25:53 UTC
Pushed to autobuild-v4-{10,11,12}-test.
Comment 7 Karolin Seeger 2020-03-10 09:29:42 UTC
(In reply to Karolin Seeger from comment #6)
Pushed to all branches.
Closing out bug report.

Thanks!