Bug 1160852 - (CVE-2019-19344) VUL-0: CVE-2019-19344: samba: server crash with dns zone scavenging = yes
(CVE-2019-19344)
VUL-0: CVE-2019-19344: samba: server crash with dns zone scavenging = yes
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Minor
: ---
Assigned To: Novell Samba Team
Security Team bot
https://smash.suse.de/issue/250849/
CVSSv3:SUSE:CVE-2019-19344:6.5:(AV:N/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2020-01-14 08:54 UTC by Marcus Meissner
Modified: 2020-09-17 19:15 UTC (History)
4 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Marcus Meissner 2020-01-21 11:04:03 UTC
is public

https://www.samba.org/samba/security/CVE-2019-19344.html


CVE-2019-19344.html

===========================================================
== Subject:     Use after free during DNS zone scavenging
==              in Samba AD DC
==
== CVE ID#:     CVE-2019-19344
==
== Versions:    Samba 4.9 and later versions
==
== Summary:     During DNS zone scavenging (of expired dynamic
==              entries) there is a read of memory after it has
==              been freed.
===========================================================

===========
Description
===========

Samba 4.9 introduced an off-by-default feature to tombstone
dynamically created DNS records that had reached their expiry time.

This feature is controlled by the smb.conf option:
 dns zone scavenging = yes

There is a use-after-free issue in this code, essentially due to a
call to realloc() while other local variables still point at the
original buffer.

The use is a read, but in quite unlikely conditions (due to NDR
validation unpacking the buffer) that read memory might be saved back
into the DB.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The code in question is not run in the default configuration, so
the workaround is simply to not set
 dns zone scavenging = yes

=======
Credits
=======

Originally reported by Christian Naumer.

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 7 Swamp Workflow Management 2020-01-23 20:11:30 UTC
SUSE-SU-2020:0223-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1141320,1160850,1160852,1160888
CVE References: CVE-2019-14902,CVE-2019-14907,CVE-2019-19344
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.243.e76c5cb3d97-3.21.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.243.e76c5cb3d97-3.21.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.243.e76c5cb3d97-3.21.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.243.e76c5cb3d97-3.21.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.243.e76c5cb3d97-3.21.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2020-01-29 05:11:19 UTC
openSUSE-SU-2020:0122-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1141320,1160850,1160852,1160888
CVE References: CVE-2019-14902,CVE-2019-14907,CVE-2019-19344
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.243.e76c5cb3d97-lp151.2.15.1
Comment 9 Marcus Meissner 2020-02-05 08:03:38 UTC
done
Comment 10 Marcus Meissner 2020-02-05 08:04:07 UTC
(On sle12 we do not include the Samba AD functionality)
Comment 12 Swamp Workflow Management 2020-09-17 19:15:08 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.