Bug 1158108 - (CVE-2019-14861) VUL-0: CVE-2019-14861: samba: DNSServer RPC server crash
(CVE-2019-14861)
VUL-0: CVE-2019-14861: samba: DNSServer RPC server crash
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/248160/
CVSSv3:RedHat:CVE-2019-14861:5.3:(AV...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-29 16:32 UTC by Marcus Meissner
Modified: 2020-09-21 09:14 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2019-11-29 16:33:49 UTC
CRD: 2019-12-10
Comment 3 Marcus Meissner 2019-12-10 16:43:56 UTC
is public

https://www.samba.org/samba/security/CVE-2019-14861.html


CVE-2019-14861.html

===========================================================
== Subject:     Samba AD DC zone-named record Denial of 
==              Service in DNS management server (dnsserver)
==
== CVE ID#:     CVE-2019-14861
==
== Versions:    All Samba versions since Samba 4.0
==
== Summary:     An authenticated user can crash the DCE/RPC DNS
==              management server by creating records with matching
==              the zone name
===========================================================

===========
Description
===========

The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.

Samba, when acting as an AD DC, stores DNS records in LDAP.

In AD, the default permissions on the DNS partition allow creation of
new records by authenticated users.  This is used for example to allow
machines to self-register in DNS.

If a DNS record was created that case-insensitively matched the name
of the zone, the ldb_qsort() and dns_name_compare() routines could be
confused into reading memory prior to the list of DNS entries when
responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so
following invalid memory as a pointer.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3)

==========
Workaround
==========

The dnsserver task can be stopped by setting 
 'dcerpc endpoint servers = -dnsserver'
in the smb.conf and restarting Samba. 

=======
Credits
=======

Originally reported by Andreas Oster.

Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 6 Swamp Workflow Management 2019-12-17 17:11:39 UTC
SUSE-SU-2019:3319-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-12-17 17:44:01 UTC
SUSE-SU-2019:3318-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 Swamp Workflow Management 2019-12-22 20:16:08 UTC
openSUSE-SU-2019:2700-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.224.86a8e66adea-lp151.2.12.1
Comment 9 Marcus Meissner 2020-02-05 07:58:16 UTC
Is any SLE12 , like 12-sp5 affected? 

Due to lack of AD support it might not be?
Comment 11 Swamp Workflow Management 2020-09-17 19:14:49 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 12 Samuel Cabrero 2020-09-18 06:42:18 UTC
Reassigned to security team to close it.
Comment 13 Wolfgang Frisch 2020-09-21 09:14:16 UTC
Done.