Bug 1173160 (CVE-2020-10745)

Summary: VUL-0: CVE-2020-10745: samba: invalid DNS or NBT queries containing dots use several seconds of CPU each
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Novell Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: julien.adamek, meissner, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/261852/
Whiteboard: CVSSv3.1:SUSE:CVE-2020-10745:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 5 Marcus Meissner 2020-07-02 09:26:34 UTC
is now public.

https://www.samba.org/samba/security/CVE-2020-10745.html


CVE-2020-10745.html

===========================================================
== Subject:     Parsing and packing of NBT and DNS packets
==              can consume excessive CPU in the AD DC (only)
==
== CVE ID#:     CVE-2020-10745
==
== Versions:    All Samba versions since 4.0.0
==
== Summary:     Compression of replies to NetBIOS over TCP/IP
==              name resolution and DNS packets (which can be
==              supplied as UDP requests) can be abused to
==              consume excessive amounts of CPU on the Samba
==              AD DC (only).
==
===========================================================

===========
Description
===========

The NetBIOS over TCP/IP name resolution protocol is framed using the
same format as DNS, and Samba's packing code for both uses DNS name
compression.

An attacker can choose a name which, when the name is included in the
reply, causes the DNS name compression algorithm to walk a very long
internal list while trying to compress the reply.  This in in part
because the traditional "." separator in DNS is not actually part of
the DNS protocol, the limit of 128 components is exceeded by including
"." inside the components.

Specifically, the longest label is 63 characters, and Samba enforces a
limit of 128 components. That means you can make a query for the
address with 127 components, each of which is
"...............................................................".

In processing that query, Samba rewrites the name in dot-separated
form, then converts it back to the wire format in order to
reply. Unfortunately for Samba, it now finds the name is just 8127
dots, which it duly converts into over 8127 zero length labels.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

==========
Workaround
==========

The vulnerable DNS server (port 53) and NBT server (port 139) is only
provided when Samba runs as an Active Directory DC.  The
implementation provided by nmbd in the file-server configuration is
not subject to this issue.  In the AD DC, the NBT server can be
disabled with 'disable netbios = yes'.

=======
Credits
=======

Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and
the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba Team.

Advisory written by Andrew Bartlett and Douglas Bagnall of Catalyst
and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 8 Swamp Workflow Management 2020-07-14 19:19:10 UTC
SUSE-SU-2020:1913-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2020-07-17 16:14:27 UTC
SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2020-07-18 04:14:04 UTC
openSUSE-SU-2020:0984-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.343.4bc358522a9-lp151.2.27.1
Comment 12 Swamp Workflow Management 2020-07-21 05:15:26 UTC
openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1
Comment 14 Swamp Workflow Management 2020-07-23 16:39:00 UTC
SUSE-SU-2020:14437-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173160
CVE References: CVE-2020-10745
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    samba-3.6.3-94.26.1, samba-doc-3.6.3-94.26.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-94.26.1, samba-doc-3.6.3-94.26.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.26.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-94.26.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 15 Swamp Workflow Management 2020-07-24 16:15:42 UTC
SUSE-SU-2020:2036-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1169473,1169521,1172810,1173160,1173429
CVE References: CVE-2020-10745
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.10.5+git.192.26ffbcd7231-3.11.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.10.5+git.192.26ffbcd7231-3.11.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.5+git.192.26ffbcd7231-3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 16 Swamp Workflow Management 2020-07-29 13:16:52 UTC
SUSE-SU-2020:2065-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173160
CVE References: CVE-2020-10745
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    samba-4.7.11+git.240.76c9942a99f-4.43.1
SUSE Linux Enterprise Server 15-LTSS (src):    samba-4.7.11+git.240.76c9942a99f-4.43.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    samba-4.7.11+git.240.76c9942a99f-4.43.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    samba-4.7.11+git.240.76c9942a99f-4.43.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.240.76c9942a99f-4.43.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Swamp Workflow Management 2020-07-29 13:18:59 UTC
SUSE-SU-2020:2066-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1173160
CVE References: CVE-2020-10745
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE OpenStack Cloud Crowbar 8 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE OpenStack Cloud 9 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE OpenStack Cloud 8 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
SUSE Enterprise Storage 5 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1
HPE Helion Openstack 8 (src):    samba-4.6.16+git.186.c6d77b0d5a6-3.52.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 18 Swamp Workflow Management 2020-08-25 16:20:30 UTC
SUSE-SU-2020:2312-1: An update that solves one vulnerability and has one errata is now available.

Category: security (moderate)
Bug References: 1173160,1174120
CVE References: CVE-2020-10745
JIRA References: 
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.4.2-38.33.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.4.2-38.33.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.4.2-38.33.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.4.2-38.33.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.33.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 19 Swamp Workflow Management 2020-09-01 16:23:21 UTC
openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1
Comment 21 Swamp Workflow Management 2020-09-17 19:15:41 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Marcus Meissner 2021-08-09 15:21:24 UTC
released