Samba's AD DC does not seem to honour MaxQueryDuration
In ldapsrv_SearchRequest() we do: ldb_set_timeout(samdb, lreq, req->timelimit); But we don't cap it to the global policy. We should also detect any requests that go over the global timeout and log them.
Created attachment 16825 [details] initial advisory (v01)
Comment on attachment 16825 [details] initial advisory (v01) Advisory text loks fine to me, though I would re-wrap the first paragraph of _Description_.
Comment on attachment 16825 [details] initial advisory (v01) Removing advisory as this is just confusing as we won't do a security release for this any more, as this has been downgraded to a hardening. CVE kept in case others want to track the hardening as something more significant, but as a Denial of Service and one where a determined attacker could just increase the request rate Samba won't do a specific release for this.
Removing embargo, as while this is a very worthwhile fix, a coordinated disclosure etc implies that the fix would be total and sufficient, whereas in this case even after patching, the attacker could just use a little more effort and continue to deny service. Therefore it is better and safer to just patch as normal in a maintenance release. However the issue is real, so keep the CVE in case others want to track it.
Some more context on this issue: LDAP search filters can be very complex, search filters are not limited to indexed attributes and they can also include complext extended match rules like LDAP_MATCHING_RULE_IN_CHAIN. The LDAP Policy setting "lDAPAdminLimits: MaxQueryDuration=120" (by default) should have provided a generous upper bound, however the policy was previously not considered in setting the timeout. Additionally, no interuption points were set in the filter handling to check if the operation was over-time. ================== CVSSv3 calculation ================== (given that all LDAP threads could be locked up): CVSS:3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
This bug was referenced in samba master: dcfcafdbf756e12d9077ad7920eea25478c29f81 86fe9d48883f87c928bf31ccbd275db420386803 e1ab0c43629686d1d2c0b0b2bcdc90057a792049 1d5b155619bc532c46932965b215bd73a920e56f 2b3af3b560c9617a233c131376c870fce146c002 5f0590362c5c0c5ee20503a67467f9be2d50e73b 3507e96b3dcf0c0b8eff7b2c08ffccaf0812a393
Created attachment 17032 [details] patch from master backported to 4.15, 4.14 and 4.13 NOTE: While this has a CVE- marker, 4.13 is not taking this level of security patch. This has a CVE for tracking, but we are not doing an embargoed release for this. The issue is similar to our rule against a CVE for a crash in a re-starting server, just as eventually the service will restart, eventually the LDAP request will finish.
Comment on attachment 17032 [details] patch from master backported to 4.15, 4.14 and 4.13 CVE-2021-3670-ldap_spin-v4-15.patch contains the first 4 patches of the 7 patch series on master (otherwise unchanged). The dropped 3 patches tidy up logging, which is nice but not critical, so it's ok and perhaps preferable to drop them from the security backport.
(In reply to Douglas Bagnall from comment #9) Thanks for checking that. Sorry I missed those, I'll re-do, the logging is important to allow fine-tuning of this work.
Created attachment 17034 [details] v2 patch series with all 7 patches In that case you want this patch. It applies back to 4.11.
Re-assiging to Jule for 4.15.next and 4.14.next
(In reply to Andrew Bartlett from comment #12) The cherry-picked marker is missing. Please add :-)
Created attachment 17038 [details] v3 patch, with cherry-pick markers thanks Jule. Here you go.
Sorry about that, this time should be better.
Thanks! Pushed to autobuild-v4-{15,14}-test.
This bug was referenced in samba v4-14-test: dc71ae17782ef4c6cac51e51b0b8b7ad77b556a0 f72090064bd674ea3a6d6b2e7556a9a85bb01df6 f9b2267c6eb8138fc94df7a138ad5d87526f1d79 08c9016cb9f25105c39488770113a1b00f8a4223 d92dfb0dabf9cfccb86f2b1146d6c353af2e1435 3a4eb50cf74671de3442d179bd2d44afd5bc52c1 3e8d6e681f8dbe79e4595549f78c42649b3573a2
This bug was referenced in samba v4-15-test: 5d39c5b54b95a3bafadd2144f1c3250fbb1ac059 127024249351b42f5f5c72f5614d51d3c8a1b8d0 6b5cb85c2cc395020b29e20dc7292692c0ac781b 4f1dbaf60b83967a0f60464ec4f803271e9915f1 1142f18ff1d8e8b66e51fe5a1f591f55ba5f0d13 9f4c89d0d3f530f7729f28b3183ade581e76f37a 9aa03f402b7af97384e44dd4417587ccf98e138d
Closing out bug report. Thanks!
This bug was referenced in samba v4-15-stable (Release samba-4.15.3): 5d39c5b54b95a3bafadd2144f1c3250fbb1ac059 127024249351b42f5f5c72f5614d51d3c8a1b8d0 6b5cb85c2cc395020b29e20dc7292692c0ac781b 4f1dbaf60b83967a0f60464ec4f803271e9915f1 1142f18ff1d8e8b66e51fe5a1f591f55ba5f0d13 9f4c89d0d3f530f7729f28b3183ade581e76f37a 9aa03f402b7af97384e44dd4417587ccf98e138d
Details on log levels and the timeout information given. At Log level 1, we will log when a request has triggered a timeout, along with the IP address and authenticated SID. At log level 3, we will log when a request has take more than 1/4 the timeout. At log level 5, we will log all queries and the time they take. This is all on the 'main' log level, not under a distinct debug class.
The policy is stored here: dn: CN=Default Query Policy,CN=Query-Policies,CN=Directory Service,CN=Windows NT,CN=Services,${CONFIGDN} lDAPAdminLimits: MaxQueryDuration=120
This bug was referenced in samba v4-14-stable (Release samba-4.14.11): dc71ae17782ef4c6cac51e51b0b8b7ad77b556a0 f72090064bd674ea3a6d6b2e7556a9a85bb01df6 f9b2267c6eb8138fc94df7a138ad5d87526f1d79 08c9016cb9f25105c39488770113a1b00f8a4223 d92dfb0dabf9cfccb86f2b1146d6c353af2e1435 3a4eb50cf74671de3442d179bd2d44afd5bc52c1 3e8d6e681f8dbe79e4595549f78c42649b3573a2
This bug was referenced in samba v4-15-test: d93892d2e8ed69758c15ab18bc03bba09e715bc6
This bug was referenced in samba v4-14-test: 6417cadc2770f5abc8aa78f32e1c25b83c4063f1
The ldb part is now also available in standalone releases 2.5.0, 2.4.2 and 2.3.3
This bug was referenced in samba v4-15-stable (Release samba-4.15.6): d93892d2e8ed69758c15ab18bc03bba09e715bc6
This bug was referenced in samba v4-14-stable (Release samba-4.14.13): 6417cadc2770f5abc8aa78f32e1c25b83c4063f1
Created attachment 17430 [details] Patch to only avoid modify of filter in anr (for 4.12) Samba 4.12 did not get the security patch for the long query time, but in case this is valuable for others, here is the backport to not modify the caller memory of the LDAP filter in anr.