Allele Security Alert
ASA-2019-00363
Identifier(s)
ASA-2019-00363, CVE-2019-12435
Title
AD DC Denial of Service in DNS management server (dnsserver)
Vendor(s)
The Samba Project
Product(s)
Samba
Affected version(s)
Samba 4.9 versions before 4.9.9
Samba 4.10 versions before 4.10.5
Fixed version(s)
Samba 4.9.9
Samba 4.10.5
Proof of concept
Unknown
Description
The (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones.
An authenticated user can crash the RPC server process via a NULL pointer de-reference.
Technical details
In a couple of places in the RPC DNS server we do this:
z = dnsserver_find_zone(dsstate->zones, r->in.pszZone); if (z == NULL && request_filter == 0) { return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST; } ret = dnsserver_operate_zone(dsstate, mem_ctx, z, ...);
where z can be made to be NULL by setting r->in.pszZone to a non-existent zone, and request_filter can be made non-zero by setting r->in.dwContext to non-zero.
The combination of z == NULL && request_filter != 0 results in a NULL dereference in dnsserver_operate_zone().
The contents of r->in.pszZone and r->in.dwContext are passed over the network by the client. This function seems to be only reached by authenticated users — but the user doesn’t need to have rights to perform the operation they are pretending to ask for.
In prefork mode there are multiple prc server workers which spring back to life after a delay, but it is very easy for an attacker to continue killing them all.
This was found via Coverity CID 1418127.
Workaround
The dnsserver task can be stopped by setting ‘dcerpc endpoint servers = -dnsserver’ in the smb.conf and restarting Samba.
Credits
Andrew Bartlett (Catalyst) and the Samba Team
Reference(s)
Samba AD DC Denial of Service in DNS management server (dnsserver)
https://www.samba.org/samba/security/CVE-2019-12435.html
[Announce] Samba 4.10.5 and 4.9.9 Security Releases Available
https://lists.samba.org/archive/samba-announce/2019/000481.html
Bug 13922 – (CVE-2019-12435) CVE-2019-12435 [SECURITY] zone operations can crash rpc server
https://bugzilla.samba.org/show_bug.cgi?id=13922
samba-4.10.4-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch
samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
https://github.com/samba-team/samba/commit/0b9da247534f735fa96141e9285fd22e0f2bb442
CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
https://github.com/samba-team/samba/commit/d32b96aeff0022c7a9052f15adbc7cd36643ca22
CVE-2019-12435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435
CVE-2019-12435
https://nvd.nist.gov/vuln/detail/CVE-2019-12435
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: June 20, 2019