Bug 14694 (CVE-2021-3670) - CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Summary: CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Status: NEW
Alias: CVE-2021-3670
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.14.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on:
Reported: 2021-04-26 21:00 UTC by Andrew Bartlett
Modified: 2021-11-25 02:31 UTC (History)
4 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-04-26 21:00:09 UTC
Samba's AD DC does not seem to honour MaxQueryDuration
Comment 1 Andrew Bartlett 2021-04-26 21:35:48 UTC
In ldapsrv_SearchRequest() we do:

	ldb_set_timeout(samdb, lreq, req->timelimit);

But we don't cap it to the global policy.

We should also detect any requests that go over the global timeout and log them.
Comment 2 Andrew Bartlett 2021-09-27 10:15:06 UTC
Created attachment 16825 [details]
initial advisory (v01)
Comment 3 Douglas Bagnall 2021-09-28 22:34:06 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Advisory text loks fine to me, though I would re-wrap the first paragraph of _Description_.
Comment 4 Andrew Bartlett 2021-11-18 03:29:21 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Removing advisory as this is just confusing as we won't do a security release for this any more, as this has been downgraded to a hardening. 

CVE kept in case others want to track the hardening as something more significant, but as a Denial of Service and one where a determined attacker could just increase the request rate Samba won't do a specific release for this.
Comment 5 Andrew Bartlett 2021-11-18 03:31:17 UTC
Removing embargo, as while this is a very worthwhile fix, a coordinated disclosure etc implies that the fix would be total and sufficient, whereas in this case even after patching, the attacker could just use a little more effort and continue to deny service.

Therefore it is better and safer to just patch as normal in a maintenance release.

However the issue is real, so keep the CVE in case others want to track it.
Comment 6 Andrew Bartlett 2021-11-18 03:36:51 UTC
Some more context on this issue:

LDAP search filters can be very complex, search filters
are not limited to indexed attributes and they can also include
complext extended match rules like LDAP_MATCHING_RULE_IN_CHAIN.

The LDAP Policy setting "lDAPAdminLimits: MaxQueryDuration=120"
(by default) should have provided a generous upper bound, however
the policy was previously not considered in setting the timeout.

Additionally, no interuption points were set in the filter handling to
check if the operation was over-time.

CVSSv3 calculation

(given that all LDAP threads could be locked up):

CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Comment 7 Samba QA Contact 2021-11-25 02:31:04 UTC
This bug was referenced in samba master: