Bug 1014437 - (CVE-2016-2123) VUL-0: CVE-2016-2123: samba: Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnera
(CVE-2016-2123)
VUL-0: CVE-2016-2123: samba: Samba NDR Parsing ndr_pull_dnsp_name Heap-based ...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
Security Team bot
CVSSv2:SUSE:CVE-2016-2123:7.9:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-12-08 07:38 UTC by Marcus Meissner
Modified: 2017-01-04 16:09 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-12-08 23:00:17 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-09 14:01:14 UTC
CRD: 2016-12-19
Comment 5 Marcus Meissner 2016-12-19 09:59:50 UTC
https://www.samba.org/samba/security/CVE-2016-2123.html

======================================================================
== Subject:     Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
==              Overflow Remote Code Execution Vulnerability
==
== CVE ID#:     CVE-2016-2123
== ZDE ID#:     ZDI-CAN-3995
==
== Versions:    Samba 4.0.0 to 4.5.2
==
== Summary:     Authenicated users can supply malicious dnsRecord attributes
==              on DNS objects and trigger a controlled memory corruption.
==
======================================================================

===========
Description
===========

The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
parses data from the Samba Active Directory ldb database.  Any user
who can write to the dnsRecord attribute over LDAP can trigger this
memory corruption.

By default, all authenticated LDAP users can write to the dnsRecord
attribute on new DNS objects. This makes the defect a remote privilege
escalation.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

It is possible to change the ntSecurityDescriptor on DNS zones, but
this will impact on the expected behaviour of the AD Domain.

=======
Credits
=======

This vulnerability was detected and reported to the Samba developers
by Trend Micro's Zero Day Initiative and Frederic Besler.
Comment 6 Bernhard Wiedemann 2016-12-19 17:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (1014437) was mentioned in
https://build.opensuse.org/request/show/447040 Factory / samba
Comment 7 Swamp Workflow Management 2016-12-27 16:07:58 UTC
SUSE-SU-2016:3271-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009085,1014437,1014441,1014442
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-31.1
Comment 8 Swamp Workflow Management 2016-12-27 16:09:15 UTC
SUSE-SU-2016:3272-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-28.3.1
Comment 9 Swamp Workflow Management 2016-12-29 23:12:02 UTC
SUSE-SU-2016:3299-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    samba-4.2.4-18.30.1
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.30.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.30.1
Comment 10 James McDonough 2017-01-03 21:00:34 UTC
Done
Comment 11 Swamp Workflow Management 2017-01-04 16:08:03 UTC
openSUSE-SU-2017:0020-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-24.1
Comment 12 Swamp Workflow Management 2017-01-04 16:09:51 UTC
openSUSE-SU-2017:0021-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009085,1014437,1014441,1014442
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
openSUSE Leap 42.2 (src):    samba-4.4.2-9.1