Bug 1173359 – VUL-1: CVE-2020-14303: samba: Endless loop from empty UDP packet sent to AD DC nbt_server

Bug 1173359 - (CVE-2020-14303) VUL-1: CVE-2020-14303: samba: Endless loop from empty UDP packet sent to AD DC nbt_server

(CVE-2020-14303)
Summary:	VUL-1: CVE-2020-14303: samba: Endless loop from empty UDP packet sent to AD D...

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P4 - Low Severity: Minor
Target Milestone:	---
Assigned To:	Novell Samba Team
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/262300/
Whiteboard:	CVSSv3.1:SUSE:CVE-2020-14303:7.5:(AV:...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2020-06-25 12:47 UTC by Marcus Meissner
Modified:	2020-09-17 19:15 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 2 Marcus Meissner 2020-07-02 09:27:43 UTC

is now public

https://www.samba.org/samba/security/CVE-2020-14303.html


CVE-2020-14303.html

===========================================================
== Subject:     Empty UDP packet DoS in Samba AD DC nbtd
==
== CVE ID#:     CVE-2020-14303
==
== Versions:    All Samba versions since Samba 4.0.0
==
== Summary:     The AD DC NBT server in Samba 4.0 will enter a
==              CPU spin and not process further requests
==              once it receives a empty (zero-length) UDP
==              packet to port 137.
===========================================================

===========
Description
===========

The NetBIOS over TCP/IP name resolution protocol is implemented
as a UDP datagram on port 137.

The AD DC client and server-side processing code for NBT name resolution
will enter a tight loop if a UDP packet with 0 data length is
received.  The client for this case is only found in the AD DC side of
the codebase, not that used by the the member server or file server. 

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba Samba 4.10.17, 4.11.11, and 4.12.4 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

=========================
Workaround and mitigation
=========================

The NBT server (UDP port 137) is provided by nmbd in the
file-server configuration, which is not impacted by this issue.

In the AD DC, the NBT server can be disabled with
'disable netbios = yes'.

=======
Credits
=======

Originally reported by Martin von Wittich
<martin.von.wittich@iserv.eu> and Wilko Meyer <wilko.meyer@iserv.eu>
of IServ GmbH.

Patches provided by Gary Lockyer of Catalyst and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Comment 4 Swamp Workflow Management 2020-07-14 19:19:22 UTC

SUSE-SU-2020:1913-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.343.4bc358522a9-3.38.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 6 Swamp Workflow Management 2020-07-17 16:14:39 UTC

SUSE-SU-2020:1948-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    ldb-2.0.12-3.3.1, samba-4.11.11+git.180.2cf3b203f07-4.5.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.11+git.180.2cf3b203f07-4.5.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

Comment 7 Swamp Workflow Management 2020-07-18 04:14:15 UTC

openSUSE-SU-2020:0984-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1171437,1172307,1173159,1173160,1173161,1173359
CVE References: CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.343.4bc358522a9-lp151.2.27.1

Comment 8 Swamp Workflow Management 2020-07-21 05:15:38 UTC

openSUSE-SU-2020:1023-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.3.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.3.1

Comment 9 Marcus Meissner 2020-07-22 12:57:55 UTC

released

Comment 10 Swamp Workflow Management 2020-09-01 16:23:34 UTC

openSUSE-SU-2020:1313-1: An update that solves 6 vulnerabilities and has 7 fixes is now available.

Category: security (important)
Bug References: 1141320,1162680,1169095,1169521,1169850,1169851,1171437,1172307,1173159,1173160,1173161,1173359,1174120
CVE References: CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    ldb-2.0.12-lp152.2.6.1, samba-4.11.11+git.180.2cf3b203f07-lp152.3.6.1

Comment 12 Swamp Workflow Management 2020-09-17 19:15:50 UTC

SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.