Bug 1116319 (CVE-2018-14629) - VUL-0: CVE-2018-14629: samba: CNAME loops in Samba AD DC DNS server
Summary: VUL-0: CVE-2018-14629: samba: CNAME loops in Samba AD DC DNS server
Status: RESOLVED FIXED
Alias: CVE-2018-14629
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: The 'Opening Windows to a Wider World' guys
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/219358/
Whiteboard: CVSSv3:SUSE:CVE-2018-14629:6.5:(AV:N/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-11-16 10:50 UTC by Marcus Meissner
Modified: 2020-06-17 18:24 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 3 Marcus Meissner 2018-11-27 10:12:01 UTC
is public now.
                                                                                                                    
https://www.samba.org/samba/security/CVE-2018-14629.html


CVE-2018-14629.html

====================================================================
== Subject:     Unprivileged adding of CNAME record causing loop
==              in AD Internal DNS server
==
== CVE ID#:     CVE-2018-14629
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     CNAME loops can cause DNS server crashes, and CNAMEs
==              can be added by unprivileged users.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.0.0 onwards are vulnerable to infinite
query recursion caused by CNAME loops. Any dns record can be added via
ldap by an unprivileged user using the ldbadd tool, so this is a
security issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.7.12, 4.8.7, and 4.9.3 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The Samba AD DC can be configured to use BIND9 for DNS.

This is done by running 
 samba_upgradedns --dns-backend=BIND9_DLZ
and then disabling the 'dns' service in the smb.conf (eg 'server services =
-dns)

=======
Credits
=======

The initial bug was found by Florian Stülpner 

Aaron Haslett of Catalyst did the investigation and wrote the patch.
Comment 4 Swamp Workflow Management 2018-12-10 20:10:11 UTC
SUSE-SU-2018:4066-1: An update that solves four vulnerabilities and has 5 fixes is now available.

Category: security (moderate)
Bug References: 1068059,1087303,1087931,1101499,1102230,1116319,1116320,1116322,1116324
CVE References: CVE-2018-14629,CVE-2018-16841,CVE-2018-16851,CVE-2018-16853
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.140.6bd0e5b30d8-4.21.1
Comment 6 Samuel Cabrero 2019-01-14 10:27:48 UTC
Released.