15474 – (CVE-2023-42669) [SECURITY] CVE-2023-42669 rpcecho, enabled and running in AD DC, allows blocking sleep on request

Bug 15474 (CVE-2023-42669) - [SECURITY] CVE-2023-42669 rpcecho, enabled and running in AD DC, allows blocking sleep on request

Summary: [SECURITY] CVE-2023-42669 rpcecho, enabled and running in AD DC, allows block...

Status:	RESOLVED FIXED

Alias:	CVE-2023-42669

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15483
	Show dependency tree / graph

Reported:	2023-09-12 06:47 UTC by Andrew Bartlett
Modified:	2023-10-20 09:15 UTC (History)
CC List:	7 users (show)

See Also:	CVE-2023-42670

Attachments
Initial Advisory without CVE (v1) (1.90 KB, text/plain) 2023-09-12 09:31 UTC, Andrew Bartlett	no flags	Details
Patch for master v1 (6.84 KB, patch) 2023-09-12 09:35 UTC, Andrew Bartlett	ab: review+	Details
Advisory v2 (1.93 KB, text/plain) 2023-09-25 04:17 UTC, Andrew Bartlett	ab: review+	Details
patch for master v2 (6.85 KB, patch) 2023-09-25 04:19 UTC, Andrew Bartlett	abartlet: review? (ab) dbagnall: review+ metze: review+ abartlet: ci-passed+	Details
Patch in master backported to Samba 4.19 (v2) (5.66 KB, patch) 2023-09-29 07:29 UTC, Andrew Bartlett	metze: review+ ab: review+ abartlet: ci-passed+	Details
Patch in master backported to Samba 4.18 (v2) (5.66 KB, patch) 2023-09-29 07:30 UTC, Andrew Bartlett	metze: review+ ab: review+ abartlet: ci-passed+	Details
Patch in master backported to Samba 4.17 (v2) (5.66 KB, patch) 2023-09-29 07:30 UTC, Andrew Bartlett	metze: review+ ab: review+ abartlet: ci-passed+	Details
Patch in master backported to Samba 4.16 (v2) (5.66 KB, patch) 2023-09-29 07:31 UTC, Andrew Bartlett	metze: review+ ab: review+ abartlet: ci-passed+	Details
Updated advisory (v3) with version numbers (2.03 KB, text/plain) 2023-09-29 08:13 UTC, Andrew Bartlett	no flags	Details
Updated advisory (v4) with fixed version numbers (2.03 KB, text/plain) 2023-09-29 18:49 UTC, Andrew Bartlett	metze: review+	Details
Show Obsolete (4) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2023-09-12 06:47:24 UTC

The rpcecho testing server, built to allow Samba developers to test RPC functionality using our own server, allows an authenticated user to block (almost) all service.

Under specific conditions, the a fully-blocking sleep() call in dcesrv_echo_TestSleep() can be executed by an authenticated user, disrupting all other services.

Comment 2 Andrew Bartlett 2023-09-12 09:31:46 UTC

Created attachment 18094 [details]
Initial Advisory without CVE (v1)

Comment 3 Andrew Bartlett 2023-09-12 09:35:26 UTC

Created attachment 18095 [details]
Patch for master v1

This patch for master also makes the "echo" server selftest-only.  This is only for master, not for backporting, so this does not have the BUG tag.

Comment 4 Alexander Bokovoy 2023-09-22 09:40:54 UTC

Comment on attachment 18095 [details]
Patch for master v1

Patches look good

Comment 5 Andrew Bartlett 2023-09-25 04:17:29 UTC

Created attachment 18120 [details]
Advisory v2

Comment 6 Andrew Bartlett 2023-09-25 04:19:38 UTC

Created attachment 18121 [details]
patch for master v2

The change in this patch is to use the built-in for_selftest parameter to SAMBA_BINARY, which always refuses to install this binary, even in a selftest build.

Comment 7 Andrew Bartlett 2023-09-29 07:29:14 UTC

Created attachment 18135 [details]
Patch in master backported to Samba 4.19 (v2)

Comment 8 Andrew Bartlett 2023-09-29 07:30:14 UTC

Created attachment 18136 [details]
Patch in master backported to Samba 4.18 (v2)

Comment 9 Andrew Bartlett 2023-09-29 07:30:58 UTC

Created attachment 18137 [details]
Patch in master backported to Samba 4.17 (v2)

Comment 10 Andrew Bartlett 2023-09-29 07:31:37 UTC

Created attachment 18138 [details]
Patch in master backported to Samba 4.16 (v2)

Comment 11 Alexander Bokovoy 2023-09-29 08:09:04 UTC

Comment on attachment 18135 [details]
Patch in master backported to Samba 4.19 (v2)

LGTM

Comment 12 Alexander Bokovoy 2023-09-29 08:10:02 UTC

Comment on attachment 18120 [details]
Advisory v2

LGTM

Comment 13 Alexander Bokovoy 2023-09-29 08:10:26 UTC

Comment on attachment 18136 [details]
Patch in master backported to Samba 4.18 (v2)

LGTM

Comment 14 Alexander Bokovoy 2023-09-29 08:11:11 UTC

Comment on attachment 18137 [details]
Patch in master backported to Samba 4.17 (v2)

LGTM

Comment 15 Andrew Bartlett 2023-09-29 08:13:22 UTC

Created attachment 18144 [details]
Updated advisory (v3) with version numbers

Comment 16 Alexander Bokovoy 2023-09-29 08:13:54 UTC

Comment on attachment 18138 [details]
Patch in master backported to Samba 4.16 (v2)

LGTM

Comment 17 Alexander Bokovoy 2023-09-29 08:18:18 UTC

Comment on attachment 18144 [details]
Updated advisory (v3) with version numbers

If you are changing this, may be add more explicit statement that it does affect non-AD DC build as well and the same solution works for s3?

Comment 18 Andrew Bartlett 2023-09-29 18:44:11 UTC

Comment on attachment 18137 [details]
Patch in master backported to Samba 4.17 (v2)

Adding CI passed to 4.17.  The samba-nt4 job just had a system failure uploading the successful artifacts, and 'others' (ldb, tdb etc), untouched by this didn't start due to a runner failure.

Comment 19 Andrew Bartlett 2023-09-29 18:49:48 UTC

Created attachment 18148 [details]
Updated advisory (v4) with fixed version numbers

Comment 20 Andrew Bartlett 2023-09-29 18:50:27 UTC

This is almost ready, I just need the advisory reviewed and it can be included in the security release.

Comment 21 Jule Anger 2023-10-02 07:24:34 UTC

Opening security bugs to vendors. Release date is currently proposed to be October 10.

Comment 22 Jule Anger 2023-10-10 14:43:17 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 23 Samba QA Contact 2023-10-10 14:46:40 UTC

This bug was referenced in samba v4-17-stable:

9989568b20c8f804140c22f51548d766a18ed887
6ff5eed9c5dbb5b8b27ef34586e63208e958dc2e

Comment 24 Samba QA Contact 2023-10-10 14:48:50 UTC

This bug was referenced in samba v4-19-stable:

5eeba465a0eb784e003750241d8d319cc72c5217
88542d6d77d7a996d15412d05a0d026d47b337f5

Comment 25 Samba QA Contact 2023-10-10 14:49:31 UTC

This bug was referenced in samba v4-18-stable:

808a46b1877dc67e131d9d1cbcac701964c75571
2e2a9feecff6dda90ef27ee7534a69bc4c3ee960

Comment 26 Samba QA Contact 2023-10-10 15:02:10 UTC

This bug was referenced in samba v4-17-stable:

a16b210ec651b535b43c21574ca439238e2f8772
d4d49635247ab4bc580899d7c5fb54484b806225

Comment 27 Samba QA Contact 2023-10-10 15:08:28 UTC

This bug was referenced in samba v4-18-stable:

e652fbe8525dfaa5b7d794cac90f9d216432e78c
2ef556473bd858fc3dbcd6372835ded48f75135d

Comment 28 Samba QA Contact 2023-10-10 15:08:40 UTC

This bug was referenced in samba v4-19-stable:

5609c68aa5175a636dc3080676ebff36de1e971f
2cb41dd7c57a3974b9d71740cfda53721750635d

Comment 29 Samba QA Contact 2023-10-10 15:18:30 UTC

This bug was referenced in samba v4-17-test:

9989568b20c8f804140c22f51548d766a18ed887
6ff5eed9c5dbb5b8b27ef34586e63208e958dc2e
a16b210ec651b535b43c21574ca439238e2f8772
d4d49635247ab4bc580899d7c5fb54484b806225

Comment 30 Samba QA Contact 2023-10-10 15:28:53 UTC

This bug was referenced in samba v4-18-test:

808a46b1877dc67e131d9d1cbcac701964c75571
2e2a9feecff6dda90ef27ee7534a69bc4c3ee960
e652fbe8525dfaa5b7d794cac90f9d216432e78c
2ef556473bd858fc3dbcd6372835ded48f75135d

Comment 31 Samba QA Contact 2023-10-10 15:48:45 UTC

This bug was referenced in samba master:

3cf1beed5df7d8b5d854517de7de322c6a5bc7fa
a9c32f929b7901b4ca230cc7a725b42c8916540d

Comment 32 Samba QA Contact 2023-10-10 16:00:01 UTC

This bug was referenced in samba v4-19-test:

5eeba465a0eb784e003750241d8d319cc72c5217
88542d6d77d7a996d15412d05a0d026d47b337f5
5609c68aa5175a636dc3080676ebff36de1e971f
2cb41dd7c57a3974b9d71740cfda53721750635d

Comment 33 Jule Anger 2023-10-20 09:15:09 UTC

Pushed to all branches.
Closing out bug report.
Thanks!