15473 – (CVE-2023-42670) [SECURITY] CVE-2023-42670 The procedure number is out of range when starting Active Directory Users and Computers

Bug 15473 (CVE-2023-42670) - [SECURITY] CVE-2023-42670 The procedure number is out of range when starting Active Directory Users and Computers

Summary: [SECURITY] CVE-2023-42670 The procedure number is out of range when starting ...

Status:	RESOLVED FIXED

Alias:	CVE-2023-42670

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15483
	Show dependency tree / graph

Reported:	2023-09-12 00:26 UTC by Andrew Bartlett
Modified:	2023-10-20 09:16 UTC (History)
CC List:	9 users (show)

See Also:	CVE-2023-3961 CVE-2023-42669

Attachments
Patch for master v1 (15.53 KB, patch) 2023-09-12 09:37 UTC, Andrew Bartlett	no flags	Details
Initial Advisory without CVE (v1) (2.44 KB, text/plain) 2023-09-12 09:38 UTC, Andrew Bartlett	no flags	Details
patch for master v2 (15.56 KB, patch) 2023-09-25 04:06 UTC, Andrew Bartlett	no flags	Details
Advisory v2 (2.47 KB, text/plain) 2023-09-25 04:10 UTC, Andrew Bartlett	no flags	Details
patch for master v3 (16.03 KB, patch) 2023-09-29 03:19 UTC, Andrew Bartlett	no flags	Details
patch for master v4 (16.03 KB, patch) 2023-09-29 03:22 UTC, Andrew Bartlett	abartlet: review? (dbagnall) metze: review+ abartlet: review? (ab) abartlet: review? (jra) abartlet: ci-passed+	Details
Patch for master backported to Samba 4.19 (v4) (16.03 KB, patch) 2023-09-29 07:44 UTC, Andrew Bartlett	ab: review+ metze: review+ abartlet: ci-passed+	Details
Patch for master backported to Samba 4.18 (v4) (16.03 KB, patch) 2023-09-29 07:45 UTC, Andrew Bartlett	abartlet: review? (ab) metze: review+ abartlet: review? (jra) abartlet: ci-passed+	Details
Patch for master backported to Samba 4.17 (v4) (16.03 KB, patch) 2023-09-29 07:46 UTC, Andrew Bartlett	abartlet: review? (ab) metze: review+ abartlet: review? (jra) abartlet: ci-passed+	Details
Patch for master backported to Samba 4.16 (v4) (16.03 KB, patch) 2023-09-29 07:47 UTC, Andrew Bartlett	abartlet: review? (ab) metze: review+ abartlet: review? (jra) abartlet: ci-passed+	Details
Updated advisory (v3) with version numbers (2.63 KB, patch) 2023-09-29 08:07 UTC, Andrew Bartlett	ab: review+	Details
Updated advisory (v4) with fixed wording (2.63 KB, text/plain) 2023-09-29 08:31 UTC, Ralph Böhme	abartlet: review+	Details
Updated advisory (v5) with fixed version number (2.63 KB, text/plain) 2023-09-29 08:41 UTC, Ralph Böhme	abartlet: review+	Details
Show Obsolete (7) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2023-09-12 00:26:01 UTC

In some attacker-controllable circumstances, both 'samba' (the AD
DC) and samba-dcerpcd can be listening on the same sockets.

The primary symptom to users, is in Active Directory Users and Computers (ADUC) that the Domain Controller could not be contacted. The error is "The procedure number is out of range."

The failing NetLogon call, DsrGetDcNameEx2, is implemented in the 
soruce4 RPC server used by Samba Active Directory, but the
corresponding implementation in samba-dcerpcd/source3 is just a stub,
which raises a “procedure number out of range” error when called. 

In the past we had this list:

static void lp_enforce_ad_dc_settings(void)
{
        lp_do_parameter(GLOBAL_SECTION_SNUM, "passdb backend", "samba_dsdb");
        lp_do_parameter(GLOBAL_SECTION_SNUM,
                        "winbindd:use external pipes", "true");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:default", "external");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:svcctl", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:srvsvc", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:eventlog", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:ntsvcs", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:winreg", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:spoolss", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_daemon:spoolssd", "embedded");
        lp_do_parameter(GLOBAL_SECTION_SNUM, "rpc_server:tcpip", "no");
}

This set, for named pipes (not TCP, which always went to 'samba' - the
AD DC), the policy of which half of the project handled which request,
in the AD DC.

However in the new samba-dcerpcd architecture, this list is not
consulted, instead local_np_connect_connected() either succeeds, or if
it fails it starts samba-dcerpcd to provide service.

If the attacker can make that connect fail after the socket() call (eg
by keeping the Samba AD DC RPC server busy), then they can make samba-
dcerpcd start, and then samba-dcerpcd workers will then race with samba
to answer any following ncacn_np binds, providing the s3 version of
(eg) NETLOGON.

We also need to ensure that samba-dcerpcd never binds to pipes not in
it's own list by modifying rpc_lsad and similar code to never offer 'source3' RPC servers where they would conflict with the AD DC mode, just as lp_enforce_ad_dc_settings() used to do.

Comment 1 Andrew Bartlett 2023-09-12 09:37:40 UTC

Created attachment 18096 [details]
Patch for master v1

Comment 2 Andrew Bartlett 2023-09-12 09:38:16 UTC

Created attachment 18097 [details]
Initial Advisory without CVE (v1)

Comment 3 Andrew Bartlett 2023-09-25 04:06:55 UTC

Created attachment 18118 [details]
patch for master v2

Comment 4 Andrew Bartlett 2023-09-25 04:10:57 UTC

Created attachment 18119 [details]
Advisory v2

Comment 5 Alexander Bokovoy 2023-09-26 08:17:12 UTC

Comment on attachment 18118 [details]
patch for master v2

please add an in-place comments that the duplicated service references must be the last in the arrays. This should avoid problems in future when potential new services would be added to these lists.

This affects at least source3/rpc_server/rpcd_classic.c.

Comment 6 Andrew Bartlett 2023-09-26 08:36:01 UTC

(In reply to Alexander Bokovoy from comment #5)
Thanks, really good point.

Comment 7 Andrew Bartlett 2023-09-29 03:19:43 UTC

Created attachment 18133 [details]
patch for master v3

This patch addresses AB's suggestion.

Comment 8 Andrew Bartlett 2023-09-29 03:22:06 UTC

Created attachment 18134 [details]
patch for master v4

I take more care with my spelling this time.

Comment 9 Douglas Bagnall 2023-09-29 03:33:59 UTC

Comment on attachment 18134 [details]
patch for master v4

I'm going defer to others on reviewing changes to the source3 rpc server.

Comment 10 Andrew Bartlett 2023-09-29 07:44:30 UTC

Created attachment 18139 [details]
Patch for master backported to Samba 4.19 (v4)

Comment 11 Andrew Bartlett 2023-09-29 07:45:43 UTC

Created attachment 18140 [details]
Patch for master backported to Samba 4.18 (v4)

Comment 12 Andrew Bartlett 2023-09-29 07:46:20 UTC

Created attachment 18141 [details]
Patch for master backported to Samba 4.17 (v4)

Comment 13 Andrew Bartlett 2023-09-29 07:47:10 UTC

Created attachment 18142 [details]
Patch for master backported to Samba 4.16 (v4)

Comment 14 Andrew Bartlett 2023-09-29 08:07:52 UTC

Created attachment 18143 [details]
Updated advisory (v3) with version numbers

Comment 15 Alexander Bokovoy 2023-09-29 08:21:31 UTC

Comment on attachment 18139 [details]
Patch for master backported to Samba 4.19 (v4)

LGTM

Comment 16 Alexander Bokovoy 2023-09-29 08:22:23 UTC

Comment on attachment 18143 [details]
Updated advisory (v3) with version numbers

LGTM

Comment 17 Ralph Böhme 2023-09-29 08:31:50 UTC

Created attachment 18145 [details]
Updated advisory (v4) with fixed wording

Lgtm, minor tweak:

 The issue in this advisory is that, when Samba's RPC server is under
-load, or otherwise not responding, the the servers NOT built for the
+load, or otherwise not responding, the servers NOT built for the
 AD DC (eg build instead for the NT4-emulation "classic DCs") can be

Comment 18 Ralph Böhme 2023-09-29 08:41:23 UTC

Created attachment 18147 [details]
Updated advisory (v5) with fixed version number

Oh, and another one: updated version number:

-Additionally, Samba 4.19.1, 4.18.8 and 4.17.7 have been issued
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued

Comment 19 Andrew Bartlett 2023-09-29 08:53:10 UTC

Comment on attachment 18147 [details]
Updated advisory (v5) with fixed version number

Thanks for catching that.

Comment 20 Andrew Bartlett 2023-09-29 18:42:29 UTC

Comment on attachment 18141 [details]
Patch for master backported to Samba 4.17 (v4)

Adding CI passed to 4.17.  The samba-nt4 job just had a system failure uploading the successful artifacts, and 'others' (ldb, tdb etc), untouched by this didn't start due to a runner failure.

Comment 21 Andrew Bartlett 2023-09-29 18:53:41 UTC

This needs review on the patches for master, 4.18, 4.17.  AB has reviewed 4.19.

4.16 is out of support but provided in case either we are dong an extra or as a helper to older installs (the patches are all the same). 

I hope this is all OK, as that would make this ready for the security release.

Comment 22 Jule Anger 2023-10-02 07:25:21 UTC

Opening security bugs to vendors. Release date is currently proposed to be October 10.

Comment 23 Jule Anger 2023-10-10 14:42:39 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 24 Samba QA Contact 2023-10-10 14:47:44 UTC

This bug was referenced in samba v4-17-stable:

08f4f363fa6e2ee62a6e32db577ee12e26927735
0e746c02f6cc3b53b941f2b2d9624427020a6890

Comment 25 Samba QA Contact 2023-10-10 14:48:26 UTC

This bug was referenced in samba v4-19-stable:

06a434bcc31cc428f7b5912027348de8e6660449
3e6d7e10b4417e348fb4d2942b2eb13197576ab3

Comment 26 Samba QA Contact 2023-10-10 14:49:15 UTC

This bug was referenced in samba v4-18-stable:

614d9c2235757510579e6d5122d6ec3c6be50105
85475a0cb20c2714ec30d3ef8de9ec7dcf395b5f

Comment 27 Samba QA Contact 2023-10-10 15:01:53 UTC

This bug was referenced in samba v4-17-stable:

51bc79f85a8d63ed5428c2975f60094157dda2e5
2acdaf9860f127c179a3d2e2adb18f901854aebf

Comment 28 Samba QA Contact 2023-10-10 15:07:12 UTC

This bug was referenced in samba v4-19-stable:

338021c79adac86c44454ef3ba9175fbcf10b7b4
81b816c648939559a58751f6c7b48c11631f6e4d

Comment 29 Samba QA Contact 2023-10-10 15:07:48 UTC

This bug was referenced in samba v4-18-stable:

4eba269b1ba4ce6e9f71efed9f537249d1bd2c5d
eb6f2d92e8af60d67334a94ab5df56785a1508f2

Comment 30 Samba QA Contact 2023-10-10 15:18:46 UTC

This bug was referenced in samba v4-17-test:

08f4f363fa6e2ee62a6e32db577ee12e26927735
0e746c02f6cc3b53b941f2b2d9624427020a6890
51bc79f85a8d63ed5428c2975f60094157dda2e5
2acdaf9860f127c179a3d2e2adb18f901854aebf

Comment 31 Samba QA Contact 2023-10-10 15:28:04 UTC

This bug was referenced in samba v4-18-test:

614d9c2235757510579e6d5122d6ec3c6be50105
85475a0cb20c2714ec30d3ef8de9ec7dcf395b5f
4eba269b1ba4ce6e9f71efed9f537249d1bd2c5d
eb6f2d92e8af60d67334a94ab5df56785a1508f2

Comment 32 Samba QA Contact 2023-10-10 15:49:01 UTC

This bug was referenced in samba master:

11ece30afa1a7204b93ab60a05f011d8fa24e5cd
1fbf08e8120b27783c32f599b64d3b2c5c70dce7

Comment 33 Samba QA Contact 2023-10-10 15:59:52 UTC

This bug was referenced in samba v4-19-test:

06a434bcc31cc428f7b5912027348de8e6660449
3e6d7e10b4417e348fb4d2942b2eb13197576ab3
338021c79adac86c44454ef3ba9175fbcf10b7b4
81b816c648939559a58751f6c7b48c11631f6e4d

Comment 34 Jule Anger 2023-10-20 09:15:27 UTC

Pushed to all branches.
Closing out bug report.
Thanks!