Bug 1192214 - (CVE-2021-23192) VUL-0: CVE-2021-23192: samba: dcerpc requests don't check all fragments against the first auth_state
(CVE-2021-23192)
VUL-0: CVE-2021-23192: samba: dcerpc requests don't check all fragments again...
Status: NEW
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Novell Samba Team
Security Team bot
CVSSv3.1:SUSE:CVE-2021-23192:4.8:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-11-01 13:49 UTC by Marcus Meissner
Modified: 2022-02-10 17:18 UTC (History)
0 users

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2021-11-01 13:50:57 UTC
CRD: 2021-11-09
Comment 6 Marcus Meissner 2021-11-10 07:56:56 UTC
is public

https://www.samba.org/samba/security/CVE-2021-23192.html

====================================================================
== Subject:     Subsequent DCE/RPC fragment injection vulnerability
==
== CVE ID#:     CVE-2021-23192
==
== Versions:    Samba 4.10.0 and later.
==
== Summary:     If a client to a Samba server sent a very large
                DCE/RPC request, and chose to fragment it, an
                attacker could replace later fragments with
                their own data, bypassing the signature requirements.
=====================================================================

===========
Description
===========

Samba implements DCE/RPC, and in most cases it is provided over and
protected by the underlying SMB transport, with protections like 'SMB
signing'.

However there are other cases where large DCE/RPC request payloads are exchanged
and fragmented into several pieces. If this happens over untrusted transports
(e.g. directly over TCP/IP or anonymous SMB) clients will typically
protect by an explicit authentication at the DCE/RPC layer, e.g. with
GSSAPI/Kerberos/NTLMSSP or Netlogon Secure Channel.

Because the checks on the fragment protection were not done between
the policy controls on the header and the subsequent fragments, an attacker
could replace subsequent fragments in requests with their own data, which
might be able to alter the server behaviour.

DCE/RPC is a core component of all Samba servers, but we are most
concerned about Samba as a Domain Controller, given the role as a
centrally trusted service.

As active directory domain controller this issue affects Samba versions greater
or equal to 4.10.0.

As NT4 classic domain controller, domain member or standalone server
this issue affects Samba versions greater or equal to 4.13.0.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)

==========
Workaround
==========

Setting "dcesrv:max auth states=0" in the smb.conf will provide
some mitigation against this issue.

There are no known problems with this change as
NT4 classic domain controller, domain member or standalone server.

But it disables "Security Context Multiplexing" and may reopen
https://bugzilla.samba.org/show_bug.cgi?id=11892.
which means domain members running things like Cisco ISE or
VMWare View may no longer work. This applies only to
active directory domain controllers.

=======
Credits
=======

Originally reported by Stefan Metzmacher of SerNet

Patches provided by Stefan Metzmacher of SerNet and the Samba Team.
Advisory by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 7 Swamp Workflow Management 2021-11-10 20:18:22 UTC
openSUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
Comment 8 Swamp Workflow Management 2021-11-10 20:25:13 UTC
openSUSE-SU-2021:3650-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192284
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2021-23192
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    samba-4.11.14+git.308.666c63d4eea-4.28.1
Comment 9 Swamp Workflow Management 2021-11-10 20:28:07 UTC
SUSE-SU-2021:3650-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192284
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2021-23192
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.14+git.308.666c63d4eea-4.28.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    samba-4.11.14+git.308.666c63d4eea-4.28.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.14+git.308.666c63d4eea-4.28.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 10 Swamp Workflow Management 2021-11-10 20:32:22 UTC
SUSE-SU-2021:3647-1: An update that fixes 8 vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192215,1192246,1192247,1192283,1192284,1192505
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-23192,CVE-2021-3738
JIRA References: 
Sources used:
SUSE MicroOS 5.1 (src):    ldb-2.2.2-3.3.1
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    ldb-2.2.2-3.3.1, samba-4.13.13+git.528.140935f8d6a-3.12.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.13.13+git.528.140935f8d6a-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 11 Swamp Workflow Management 2021-11-15 11:22:40 UTC
openSUSE-SU-2021:1471-1: An update that fixes three vulnerabilities is now available.

Category: security (important)
Bug References: 1014440,1192214,1192284
CVE References: CVE-2016-2124,CVE-2020-25717,CVE-2021-23192
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    samba-4.11.14+git.308.666c63d4eea-lp152.3.28.1
Comment 14 Swamp Workflow Management 2022-02-10 17:18:27 UTC
SUSE-SU-2022:0361-1: An update that solves 11 vulnerabilities, contains one feature and has two fixes is now available.

Category: security (critical)
Bug References: 1014440,1188727,1189017,1189875,1192214,1192215,1192246,1192247,1192283,1192284,1192505,1192849,1194859
CVE References: CVE-2016-2124,CVE-2020-17049,CVE-2020-25717,CVE-2020-25718,CVE-2020-25719,CVE-2020-25721,CVE-2020-25722,CVE-2021-20254,CVE-2021-23192,CVE-2021-3738,CVE-2021-44142
JIRA References: SLE-18456
Sources used:
SUSE Enterprise Storage 7 (src):    ldb-2.2.2-4.6.1, samba-4.13.13+git.545.5897c2d94f3-3.12.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.