Bug 14875 (CVE-2021-23192) - CVE-2021-23192 [SECURITY][EMBARGOED] dcerpc requests don't check all fragments against the first auth_state
Summary: CVE-2021-23192 [SECURITY][EMBARGOED] dcerpc requests don't check all fragment...
Status: RESOLVED FIXED
Alias: CVE-2021-23192
Product: Samba 4.1 and newer
Classification: Unclassified
Component: DCE-RPCs and pipes (show other bugs)
Version: 4.15.0
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jule Anger
QA Contact: Samba QA Contact
URL:
Keywords:
Depends on:
Blocks: 14834
  Show dependency treegraph
 
Reported: 2021-10-19 14:32 UTC by Stefan Metzmacher
Modified: 2021-11-09 22:30 UTC (History)
6 users (show)

See Also:


Attachments
patch for master (174.85 KB, patch)
2021-10-29 01:38 UTC, Andrew Bartlett
metze: review+
scabrero: review+
abartlet: ci-passed+
Details
patch for master backported to 4.15 (only) (174.85 KB, patch)
2021-10-29 02:30 UTC, Andrew Bartlett
metze: review+
scabrero: review+
metze: ci-passed+
Details
patch from master backported to 4.14 (v1) (221.68 KB, patch)
2021-10-29 02:32 UTC, Andrew Bartlett
scabrero: review+
metze: ci-passed+
Details
patch from master backported to 4.13 (v1) (221.82 KB, patch)
2021-10-29 18:40 UTC, Stefan Metzmacher
scabrero: review+
metze: ci-passed+
Details
advisory text (v01) (2.13 KB, text/plain)
2021-11-02 08:30 UTC, Andrew Bartlett
no flags Details
CVE-2021-23192-description.metze02.txt (2.63 KB, text/plain)
2021-11-02 09:49 UTC, Stefan Metzmacher
abartlet: review+
Details
Advisory text (v3) (2.83 KB, text/plain)
2021-11-02 11:55 UTC, Samuel Cabrero
no flags Details
Advisory text (v4) (2.87 KB, text/plain)
2021-11-02 13:51 UTC, Stefan Metzmacher
no flags Details
advisory text (v05) (3.02 KB, text/plain)
2021-11-02 20:05 UTC, Andrew Bartlett
metze: review+
Details
patch from master backported to 4.14 (v2) (221.78 KB, patch)
2021-11-03 15:55 UTC, Stefan Metzmacher
metze: review+
metze: ci-passed+
Details
patch from master backported to 4.13 (v2) (221.85 KB, patch)
2021-11-03 15:56 UTC, Stefan Metzmacher
metze: review+
metze: ci-passed+
Details
patch from master backported to 4.12 (222.75 KB, patch)
2021-11-05 10:09 UTC, Joseph Sutton
abartlet: review+
jsutton: ci-passed+
Details
advisory text (v06) (3.02 KB, text/plain)
2021-11-05 14:08 UTC, Guenther Deschner
metze: review+
Details
advisory text (v07) (3.02 KB, text/plain)
2021-11-08 19:52 UTC, Stefan Metzmacher
abartlet: review+
Details
patch from master backported to 4.10 (217.66 KB, patch)
2021-11-09 04:05 UTC, Joseph Sutton
abartlet: review+
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2021-10-19 14:32:38 UTC
For multi-fragmented DCERPC Requests our server needs to make sure that
all fragments are protected by the same auth_state as the first fragment,
as that's the one that executes the requests.
Comment 1 Andrew Bartlett 2021-10-21 22:12:11 UTC
I'm testing this with my priv_attrs patch in security-2021-11-for-master-try-2. 

I'm OK with it, but it really baffles me so if you can find another reviewer that would be awesome.
Comment 2 Andrew Bartlett 2021-10-28 17:19:28 UTC
Samuel,

Can you confirm that security-CVE-2021-23192-dcerpc-middle-fraq-ok is fine with your review.  Metze said you had given the OK at bfbffdff299e464386987b646e13b922cc06f92d but I just want to avoid any mistakes. 

Thanks!
Comment 3 Andrew Bartlett 2021-10-28 22:13:10 UTC
Moving this to the release bug as we can treat this more normally as a distinct patch.

We need an advisory written very soon.
Comment 4 Andrew Bartlett 2021-10-29 01:38:17 UTC
Created attachment 16887 [details]
patch for master

Patch from security-CVE-2021-23192-dcerpc-middle-fraq-ok

I've added Samuel's review as confirmed by metze but an extra tick here would be great.
Comment 5 Andrew Bartlett 2021-10-29 02:06:44 UTC
Backport to 4.15 and 4.14 looks trivial (just collect some required patches to also backport) but 4.13 hits the end of the RPC server rewrite.

Metze,

I'll need you to do that one.
Comment 6 Andrew Bartlett 2021-10-29 02:29:20 UTC
I'll upload a backport to 4.15, but even 4.14 breaks the selftest, so I'll hand that over as well, but upload the WIP patch to save you time.
Comment 7 Andrew Bartlett 2021-10-29 02:30:03 UTC
Created attachment 16888 [details]
patch for master backported to 4.15 (only)
Comment 8 Andrew Bartlett 2021-10-29 02:32:16 UTC
Created attachment 16889 [details]
patch from master backported to 4.14 (v1)
Comment 9 Andrew Bartlett 2021-10-29 05:23:39 UTC
Comment on attachment 16887 [details]
patch for master

Flagging CI-passed as it passed in a pipeline with other patches.
Comment 10 Stefan Metzmacher 2021-10-29 18:39:32 UTC
Comment on attachment 16889 [details]
patch from master backported to 4.14 (v1)

This passes a pipeline and autobuild just fine for me
Comment 11 Stefan Metzmacher 2021-10-29 18:40:48 UTC
Created attachment 16901 [details]
patch from master backported to 4.13 (v1)
Comment 12 Stefan Metzmacher 2021-10-29 18:54:10 UTC
G'Day Vendors,

This bug will also be part of the security release for Nov 9 2021.

But the patches on this bug are on their own independent from
the large combined patch on bug #14834.

This bug is only relevant for kind of server setups.

The advisory will follow in the next days.
Comment 13 Ralph Böhme 2021-11-02 05:11:51 UTC
(In reply to Stefan Metzmacher from comment #12)
> This bug is only relevant for kind of server setups.

sorry, but this misses to mention which kind of server setups...
Comment 14 Andrew Bartlett 2021-11-02 08:30:06 UTC
Created attachment 16913 [details]
advisory text (v01)
Comment 15 Stefan Metzmacher 2021-11-02 09:49:19 UTC
Created attachment 16915 [details]
CVE-2021-23192-description.metze02.txt
Comment 16 Samuel Cabrero 2021-11-02 11:55:06 UTC
Created attachment 16919 [details]
Advisory text (v3)

This issue not only affects the AD DC case but any role providing RPC services over TCP/IP after the s3 and s4 RPC servers were merged (>= 4.13.0), for example a member server configured as:

rpc_server:netlogon = disabled
rpc_server:lsarpc = external
rpc_server:samr = external
rpc_daemon:lsasd = fork

Metze, could you please review the new advisory text?
Comment 17 Stefan Metzmacher 2021-11-02 13:51:57 UTC
Created attachment 16920 [details]
Advisory text (v4)

This is not restricted to TCP/IP also anonymous SMB.
Comment 18 Andrew Bartlett 2021-11-02 18:31:44 UTC
(In reply to Stefan Metzmacher from comment #17)
I still think the Advisory should call out the AD DC as the primary risk, the other cases can only matter if the client or server voluntarily fragments the request or reply, and I can't think of any typical examples of such a thing that would be catastrophic, except for DRS replication. 

Setting out clear risk boundaries helps vendors and end users set priorities.
Comment 19 Andrew Bartlett 2021-11-02 20:05:36 UTC
Created attachment 16923 [details]
advisory text (v05)
Comment 20 Stefan Metzmacher 2021-11-03 15:55:26 UTC
Created attachment 16928 [details]
patch from master backported to 4.14 (v2)

Only the commit message are changed compared to
CVE-2021-23192-only-4.14-v1.patch
Comment 21 Stefan Metzmacher 2021-11-03 15:56:14 UTC
Created attachment 16929 [details]
patch from master backported to 4.13 (v2)

Only the commit message are changed compared to
CVE-2021-23192-only-4.13-v1.patch
Comment 22 Joseph Sutton 2021-11-05 10:09:51 UTC
Created attachment 16960 [details]
patch from master backported to 4.12

This patch applies on top of the v4.12 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.
Comment 23 Guenther Deschner 2021-11-05 13:02:19 UTC
Comment on attachment 16923 [details]
advisory text (v05)

I think there are two typos, s/greather/greater/
Comment 24 Stefan Metzmacher 2021-11-05 13:59:17 UTC
(In reply to Guenther Deschner from comment #23)

Hi Günther, can you I upload a fixed v6 version? Thanks!
Comment 25 Guenther Deschner 2021-11-05 14:08:17 UTC
Created attachment 16962 [details]
advisory text (v06)
Comment 26 Guenther Deschner 2021-11-05 14:08:48 UTC
(In reply to Stefan Metzmacher from comment #24)

Done, and fixed two other minor typos.
Comment 27 Marc Deslauriers 2021-11-08 12:35:07 UTC
Typo in advisory: bypassign
Comment 28 Stefan Metzmacher 2021-11-08 19:52:12 UTC
Created attachment 16968 [details]
advisory text (v07)

bypassign => bypassing
Comment 29 Stefan Metzmacher 2021-11-08 22:00:22 UTC
The release will happen around 18:00 UTC November 9th.
Comment 30 Joseph Sutton 2021-11-09 04:05:16 UTC
Created attachment 16974 [details]
patch from master backported to 4.10

This patch applies on top of the v4.10 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.
Comment 31 Andrew Bartlett 2021-11-09 17:28:22 UTC
Comment on attachment 16960 [details]
patch from master backported to 4.12

I confirm this is a correctly handled backport of the 4.13 patch.
Comment 32 Andrew Bartlett 2021-11-09 17:28:47 UTC
Comment on attachment 16974 [details]
patch from master backported to 4.10

I can also confirm this 4.10 backport is a correctly handled backport of the 4.13 patch.
Comment 33 Samba QA Contact 2021-11-09 18:17:29 UTC
This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

cc63aa0f6fc5fded5d97fbe8f1e70839696eef73
e10f8c1d99c143ba68bd9043c648a51719a352f0
a106cfd09204fa637096965b58ad39c268375b99
793cdac7d383052d8edb794fab6bc0f7201519ad
ce2a20fa4b1cd3afcc167bd73330ade68e45dd9c
5b96c3f932d0dff468ebc66871437debfa10be4f
f2de7ce5004c535ad01e7c5ba1808fdab83a5bc4
396b19acac7771ea4d3cbcaa050cecbbc0ddbf81
e6a1fbbf605bef900954d1cd120ac1abce0bb7e9
Comment 34 Samba QA Contact 2021-11-09 18:18:10 UTC
This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

83a9fb52f3e32422b4b2ab6327ad06c35c71ae1a
4a893891951d9b3e087e6577327c3aa0a019e99e
6b37112441013aa80f31915e921ce2182ca7e630
714cf311ab283916e433553f211c9f79acbae138
6afefee92ce923bdb044a97113e56a87e67d763b
adcd0d76132a25ead71510f94b2ac5a5fe80cb75
1f66e3f97e1b6f63aedbf5d7247ae43045eb9f11
f4492f9309ff4cb26c69d8f4fb2128025ac82372
ec712adf5002eb4f3a36d55f0d7a8a196f24b214
Comment 35 Samba QA Contact 2021-11-09 18:22:19 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.2):

09ae69e60cd4db3ceb779d4480985ab3899746f3
9ab57ce2e2344ee379cf961dd3af5567e0f1f8de
096405b778ec639508e8c2efe8c701bb72d663c4
016be9b15ecd79d2b35c4e27d346f7dd218bac4a
0b2ab8bc2551a73390a80ed77dfab7fb8c66acdf
aaba2e8b0e48125549eb0399c8d3285ca21faf53
c59c8abb94d9ddd5f0b31e882fb2d32349ff7450
Comment 36 Samba QA Contact 2021-11-09 18:46:14 UTC
This bug was referenced in samba v4-14-test:

cc63aa0f6fc5fded5d97fbe8f1e70839696eef73
e10f8c1d99c143ba68bd9043c648a51719a352f0
a106cfd09204fa637096965b58ad39c268375b99
793cdac7d383052d8edb794fab6bc0f7201519ad
ce2a20fa4b1cd3afcc167bd73330ade68e45dd9c
5b96c3f932d0dff468ebc66871437debfa10be4f
f2de7ce5004c535ad01e7c5ba1808fdab83a5bc4
396b19acac7771ea4d3cbcaa050cecbbc0ddbf81
e6a1fbbf605bef900954d1cd120ac1abce0bb7e9
Comment 37 Samba QA Contact 2021-11-09 18:48:20 UTC
This bug was referenced in samba v4-13-test:

83a9fb52f3e32422b4b2ab6327ad06c35c71ae1a
4a893891951d9b3e087e6577327c3aa0a019e99e
6b37112441013aa80f31915e921ce2182ca7e630
714cf311ab283916e433553f211c9f79acbae138
6afefee92ce923bdb044a97113e56a87e67d763b
adcd0d76132a25ead71510f94b2ac5a5fe80cb75
1f66e3f97e1b6f63aedbf5d7247ae43045eb9f11
f4492f9309ff4cb26c69d8f4fb2128025ac82372
ec712adf5002eb4f3a36d55f0d7a8a196f24b214
Comment 38 Samba QA Contact 2021-11-09 19:00:23 UTC
This bug was referenced in samba v4-15-test:

09ae69e60cd4db3ceb779d4480985ab3899746f3
9ab57ce2e2344ee379cf961dd3af5567e0f1f8de
096405b778ec639508e8c2efe8c701bb72d663c4
016be9b15ecd79d2b35c4e27d346f7dd218bac4a
0b2ab8bc2551a73390a80ed77dfab7fb8c66acdf
aaba2e8b0e48125549eb0399c8d3285ca21faf53
c59c8abb94d9ddd5f0b31e882fb2d32349ff7450
Comment 39 Samba QA Contact 2021-11-09 20:38:20 UTC
This bug was referenced in samba master:

c00e5fc2c646ef56a457d3850fb4a6e4d8d45294
2f0bc04afe27af91901c66b2f4220129cabaf8a7
478656531610ea35c860a769f2309592f7561bcb
e21c405163a119af496b6801c31f38dd33e4da93
44584f97b088796818aaaa721cf317541116d506
9ebc679e76803e41861b9901d69fee41d3ce9a0f
871d672f51fa8de6b2a4feee2039b76654e6aad2
Comment 40 Andrew Bartlett 2021-11-09 20:55:09 UTC
The patches addressing this issue have been pushed to master and security releases made.
Comment 41 Andrew Bartlett 2021-11-09 21:12:27 UTC
Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  

These are the "other issues" part of the big release we just made, the remainder are private for a little longer.

If you wish to continue to be informed about any changes here please CC individually.