Bug 14694 (CVE-2021-3670) - CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Summary: CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Status: RESOLVED FIXED
Alias: CVE-2021-3670
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.14.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-26 21:00 UTC by Andrew Bartlett
Modified: 2022-04-04 12:49 UTC (History)
4 users (show)

See Also:


Attachments
patch from master backported to 4.15, 4.14 and 4.13 (12.69 KB, patch)
2021-11-30 06:39 UTC, Andrew Bartlett
dbagnall: review+
Details
v2 patch series with all 7 patches (22.89 KB, patch)
2021-11-30 23:27 UTC, Douglas Bagnall
abartlet: review+
Details
v3 patch, with cherry-pick markers (23.36 KB, patch)
2021-12-01 21:36 UTC, Douglas Bagnall
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-04-26 21:00:09 UTC
Samba's AD DC does not seem to honour MaxQueryDuration
Comment 1 Andrew Bartlett 2021-04-26 21:35:48 UTC
In ldapsrv_SearchRequest() we do:

	ldb_set_timeout(samdb, lreq, req->timelimit);

But we don't cap it to the global policy.

We should also detect any requests that go over the global timeout and log them.
Comment 2 Andrew Bartlett 2021-09-27 10:15:06 UTC
Created attachment 16825 [details]
initial advisory (v01)
Comment 3 Douglas Bagnall 2021-09-28 22:34:06 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Advisory text loks fine to me, though I would re-wrap the first paragraph of _Description_.
Comment 4 Andrew Bartlett 2021-11-18 03:29:21 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Removing advisory as this is just confusing as we won't do a security release for this any more, as this has been downgraded to a hardening. 

CVE kept in case others want to track the hardening as something more significant, but as a Denial of Service and one where a determined attacker could just increase the request rate Samba won't do a specific release for this.
Comment 5 Andrew Bartlett 2021-11-18 03:31:17 UTC
Removing embargo, as while this is a very worthwhile fix, a coordinated disclosure etc implies that the fix would be total and sufficient, whereas in this case even after patching, the attacker could just use a little more effort and continue to deny service.

Therefore it is better and safer to just patch as normal in a maintenance release.

However the issue is real, so keep the CVE in case others want to track it.
Comment 6 Andrew Bartlett 2021-11-18 03:36:51 UTC
Some more context on this issue:

LDAP search filters can be very complex, search filters
are not limited to indexed attributes and they can also include
complext extended match rules like LDAP_MATCHING_RULE_IN_CHAIN.

The LDAP Policy setting "lDAPAdminLimits: MaxQueryDuration=120"
(by default) should have provided a generous upper bound, however
the policy was previously not considered in setting the timeout.

Additionally, no interuption points were set in the filter handling to
check if the operation was over-time.

==================
CVSSv3 calculation
==================

(given that all LDAP threads could be locked up):

CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Comment 7 Samba QA Contact 2021-11-25 02:31:04 UTC
This bug was referenced in samba master:

dcfcafdbf756e12d9077ad7920eea25478c29f81
86fe9d48883f87c928bf31ccbd275db420386803
e1ab0c43629686d1d2c0b0b2bcdc90057a792049
1d5b155619bc532c46932965b215bd73a920e56f
2b3af3b560c9617a233c131376c870fce146c002
5f0590362c5c0c5ee20503a67467f9be2d50e73b
3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
Comment 8 Andrew Bartlett 2021-11-30 06:39:48 UTC
Created attachment 17032 [details]
patch from master backported to 4.15, 4.14 and 4.13

NOTE: While this has a CVE- marker, 4.13 is not taking this level of security patch.

This has a CVE for tracking, but we are not doing an embargoed release for this.  The issue is similar to our rule against a CVE for a crash in a re-starting server, just as eventually the service will restart, eventually the LDAP request will finish.
Comment 9 Douglas Bagnall 2021-11-30 21:55:40 UTC
Comment on attachment 17032 [details]
patch from master backported to 4.15, 4.14 and 4.13

CVE-2021-3670-ldap_spin-v4-15.patch contains the first 4 patches of the 7 patch series on master (otherwise unchanged).

The dropped 3 patches tidy up logging, which is nice but not critical, so it's ok and perhaps preferable to drop them from the security backport.
Comment 10 Andrew Bartlett 2021-11-30 22:26:13 UTC
(In reply to Douglas Bagnall from comment #9)
Thanks for checking that.  Sorry I missed those, I'll re-do, the logging is important to allow fine-tuning of this work.
Comment 11 Douglas Bagnall 2021-11-30 23:27:47 UTC
Created attachment 17034 [details]
v2 patch series with all 7 patches

In that case you want this patch.

It applies back to 4.11.
Comment 12 Andrew Bartlett 2021-12-01 00:12:05 UTC
Re-assiging to Jule for 4.15.next and 4.14.next
Comment 13 Jule Anger 2021-12-01 07:49:53 UTC
(In reply to Andrew Bartlett from comment #12)
The cherry-picked marker is missing. Please add :-)
Comment 14 Douglas Bagnall 2021-12-01 21:36:47 UTC
Created attachment 17038 [details]
v3 patch, with cherry-pick markers

thanks Jule. Here you go.
Comment 15 Andrew Bartlett 2021-12-01 23:48:12 UTC
Sorry about that, this time should be better.
Comment 16 Jule Anger 2021-12-02 10:25:10 UTC
Thanks!
Pushed to autobuild-v4-{15,14}-test.
Comment 17 Samba QA Contact 2021-12-02 11:53:04 UTC
This bug was referenced in samba v4-14-test:

dc71ae17782ef4c6cac51e51b0b8b7ad77b556a0
f72090064bd674ea3a6d6b2e7556a9a85bb01df6
f9b2267c6eb8138fc94df7a138ad5d87526f1d79
08c9016cb9f25105c39488770113a1b00f8a4223
d92dfb0dabf9cfccb86f2b1146d6c353af2e1435
3a4eb50cf74671de3442d179bd2d44afd5bc52c1
3e8d6e681f8dbe79e4595549f78c42649b3573a2
Comment 18 Samba QA Contact 2021-12-02 11:55:23 UTC
This bug was referenced in samba v4-15-test:

5d39c5b54b95a3bafadd2144f1c3250fbb1ac059
127024249351b42f5f5c72f5614d51d3c8a1b8d0
6b5cb85c2cc395020b29e20dc7292692c0ac781b
4f1dbaf60b83967a0f60464ec4f803271e9915f1
1142f18ff1d8e8b66e51fe5a1f591f55ba5f0d13
9f4c89d0d3f530f7729f28b3183ade581e76f37a
9aa03f402b7af97384e44dd4417587ccf98e138d
Comment 19 Jule Anger 2021-12-02 15:38:11 UTC
Closing out bug report.

Thanks!
Comment 20 Samba QA Contact 2021-12-08 14:40:13 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.3):

5d39c5b54b95a3bafadd2144f1c3250fbb1ac059
127024249351b42f5f5c72f5614d51d3c8a1b8d0
6b5cb85c2cc395020b29e20dc7292692c0ac781b
4f1dbaf60b83967a0f60464ec4f803271e9915f1
1142f18ff1d8e8b66e51fe5a1f591f55ba5f0d13
9f4c89d0d3f530f7729f28b3183ade581e76f37a
9aa03f402b7af97384e44dd4417587ccf98e138d
Comment 21 Andrew Bartlett 2021-12-15 06:58:10 UTC
Details on log levels and the timeout information given.

At Log level 1, we will log when a request has triggered a timeout, along with the IP address and authenticated SID.

At log level 3, we will log when a request has take more than 1/4 the timeout. 

At log level 5, we will log all queries and the time they take.

This is all on the 'main' log level, not under a distinct debug class.
Comment 22 Andrew Bartlett 2021-12-15 07:00:00 UTC
The policy is stored here:

dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN}
lDAPAdminLimits: MaxQueryDuration=120
Comment 23 Samba QA Contact 2021-12-15 14:53:18 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.11):

dc71ae17782ef4c6cac51e51b0b8b7ad77b556a0
f72090064bd674ea3a6d6b2e7556a9a85bb01df6
f9b2267c6eb8138fc94df7a138ad5d87526f1d79
08c9016cb9f25105c39488770113a1b00f8a4223
d92dfb0dabf9cfccb86f2b1146d6c353af2e1435
3a4eb50cf74671de3442d179bd2d44afd5bc52c1
3e8d6e681f8dbe79e4595549f78c42649b3573a2
Comment 24 Samba QA Contact 2022-01-24 12:45:04 UTC
This bug was referenced in samba v4-15-test:

d93892d2e8ed69758c15ab18bc03bba09e715bc6
Comment 25 Samba QA Contact 2022-01-24 14:01:04 UTC
This bug was referenced in samba v4-14-test:

6417cadc2770f5abc8aa78f32e1c25b83c4063f1
Comment 26 Stefan Metzmacher 2022-01-24 14:05:50 UTC
The ldb part is now also available in standalone releases 2.5.0, 2.4.2 and 2.3.3
Comment 27 Samba QA Contact 2022-03-15 13:25:59 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.6):

d93892d2e8ed69758c15ab18bc03bba09e715bc6
Comment 28 Samba QA Contact 2022-04-04 12:49:50 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.13):

6417cadc2770f5abc8aa78f32e1c25b83c4063f1