Bug 1103414 (CVE-2018-10918) - VUL-0: CVE-2018-10918: samba: Denial of Service Attack on AD DC DRSUAPI server
Summary: VUL-0: CVE-2018-10918: samba: Denial of Service Attack on AD DC DRSUAPI server
Status: RESOLVED FIXED
Alias: CVE-2018-10918
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: James McDonough
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/212073/
Whiteboard: CVSSv3:SUSE:CVE-2018-10918:6.5:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-08-01 13:25 UTC by Johannes Segitz
Modified: 2018-12-04 23:48 UTC (History)
5 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Johannes Segitz 2018-08-01 13:25:50 UTC
This is a embargoed bug. This means that this information is not public. Please
- do not talk to other people about this unless they're involved in fixing the issue
- do not submit this into OBS (e.g. fix Leap) until this is public
- do not make this bug public
- Please be aware that the SUSE:SLE-12-SP4:GA codestream is available via OBS. This means
  that you can't submit security fixes for embargoed issues to SLE 12 SP4 GA until they become
  public.

In doubt please talk to us on IRC (#security) or sent us a mail.

CRD: 2018-08-14
Comment 6 Marcus Meissner 2018-08-14 09:01:45 UTC
is public


CVE-2018-10918.html

====================================================================
== Subject:     Denial of Service Attack on AD DC DRSUAPI server
==
== CVE ID#:     CVE-2018-10918
==
== Versions:    All versions of Samba from 4.7.0 onwards.
==
== Summary:     Missing null pointer checks may crash the Samba AD
==		DC, over the authenticated DRSUAPI RPC service.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.7.0 onwards are vulnerable to a denial of
service attack which can crash the "samba" process when Samba is an
Active Directory Domain Controller.

Missing database output checks on the returned directory attributes
from the LDB database layer cause the DsCrackNames call in the DRSUAPI
server to crash when following a NULL pointer.

This call is only available after authentication.

There is no further vulnerability associated with this error, merely a
denial of service.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.8.4 and Samba 4.7.9 have been issued as a
security release to correct the defect.  Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

No workaround is possible while acting as a Samba AD DC.

=======
Credits
=======

The issue was reported by Volker Mauel.  Andrew Bartlett of Catalyst
and the Samba Team provided the test and patches.
Comment 7 Swamp Workflow Management 2018-08-14 13:08:43 UTC
SUSE-SU-2018:2318-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
Comment 8 Swamp Workflow Management 2018-08-17 10:13:43 UTC
openSUSE-SU-2018:2400-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.8+git.86.94b6d10f7dd-lp150.3.6.1
Comment 9 James McDonough 2018-10-01 10:03:39 UTC
shipped