Bug 14694 (CVE-2021-3670) - CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Summary: CVE-2021-3670 [SECURITY] MaxQueryDuration not honoured in Samba AD DC LDAP
Status: NEW
Alias: CVE-2021-3670
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.14.3
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-04-26 21:00 UTC by Andrew Bartlett
Modified: 2021-11-25 02:31 UTC (History)
4 users (show)

See Also:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2021-04-26 21:00:09 UTC
Samba's AD DC does not seem to honour MaxQueryDuration
Comment 1 Andrew Bartlett 2021-04-26 21:35:48 UTC
In ldapsrv_SearchRequest() we do:

	ldb_set_timeout(samdb, lreq, req->timelimit);

But we don't cap it to the global policy.

We should also detect any requests that go over the global timeout and log them.
Comment 2 Andrew Bartlett 2021-09-27 10:15:06 UTC
Created attachment 16825 [details]
initial advisory (v01)
Comment 3 Douglas Bagnall 2021-09-28 22:34:06 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Advisory text loks fine to me, though I would re-wrap the first paragraph of _Description_.
Comment 4 Andrew Bartlett 2021-11-18 03:29:21 UTC
Comment on attachment 16825 [details]
initial advisory (v01)

Removing advisory as this is just confusing as we won't do a security release for this any more, as this has been downgraded to a hardening. 

CVE kept in case others want to track the hardening as something more significant, but as a Denial of Service and one where a determined attacker could just increase the request rate Samba won't do a specific release for this.
Comment 5 Andrew Bartlett 2021-11-18 03:31:17 UTC
Removing embargo, as while this is a very worthwhile fix, a coordinated disclosure etc implies that the fix would be total and sufficient, whereas in this case even after patching, the attacker could just use a little more effort and continue to deny service.

Therefore it is better and safer to just patch as normal in a maintenance release.

However the issue is real, so keep the CVE in case others want to track it.
Comment 6 Andrew Bartlett 2021-11-18 03:36:51 UTC
Some more context on this issue:

LDAP search filters can be very complex, search filters
are not limited to indexed attributes and they can also include
complext extended match rules like LDAP_MATCHING_RULE_IN_CHAIN.

The LDAP Policy setting "lDAPAdminLimits: MaxQueryDuration=120"
(by default) should have provided a generous upper bound, however
the policy was previously not considered in setting the timeout.

Additionally, no interuption points were set in the filter handling to
check if the operation was over-time.

==================
CVSSv3 calculation
==================

(given that all LDAP threads could be locked up):

CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Comment 7 Samba QA Contact 2021-11-25 02:31:04 UTC
This bug was referenced in samba master:

dcfcafdbf756e12d9077ad7920eea25478c29f81
86fe9d48883f87c928bf31ccbd275db420386803
e1ab0c43629686d1d2c0b0b2bcdc90057a792049
1d5b155619bc532c46932965b215bd73a920e56f
2b3af3b560c9617a233c131376c870fce146c002
5f0590362c5c0c5ee20503a67467f9be2d50e73b
3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393