ASA-2019-00363 – Samba: AD DC Denial of Service in DNS management server (dnsserver)

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00363

Identifier(s)

ASA-2019-00363, CVE-2019-12435

Title

AD DC Denial of Service in DNS management server (dnsserver)

Vendor(s)

The Samba Project

Product(s)

Samba

Affected version(s)

Samba 4.9 versions before 4.9.9
Samba 4.10 versions before 4.10.5

Fixed version(s)

Samba 4.9.9
Samba 4.10.5

Proof of concept

Unknown

Description

The (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones.

An authenticated user can crash the RPC server process via a NULL pointer de-reference.

Technical details

In a couple of places in the RPC DNS server we do this:

z = dnsserver_find_zone(dsstate->zones, r->in.pszZone);
if (z == NULL && request_filter == 0) {
return WERR_DNS_ERROR_ZONE_DOES_NOT_EXIST;
}

ret = dnsserver_operate_zone(dsstate, mem_ctx, z, ...);

where z can be made to be NULL by setting r->in.pszZone to a non-existent zone, and request_filter can be made non-zero by setting r->in.dwContext to non-zero.

The combination of z == NULL && request_filter != 0 results in a NULL  dereference in dnsserver_operate_zone().

The contents of r->in.pszZone and r->in.dwContext are passed over the network by the client. This function seems to be only reached by authenticated users — but the user doesn’t need to have rights to perform the operation they are pretending to ask for.

In prefork mode there are multiple prc server workers which spring back to life after a delay, but it is very easy for an attacker to continue killing them all.

This was found via Coverity CID 1418127.

Workaround

The dnsserver task can be stopped by setting  ‘dcerpc endpoint servers = -dnsserver’ in the smb.conf and restarting Samba.

Credits

Andrew Bartlett (Catalyst) and the Samba Team

Reference(s)

Samba AD DC Denial of Service in DNS management server (dnsserver)
https://www.samba.org/samba/security/CVE-2019-12435.html

[Announce] Samba 4.10.5 and 4.9.9 Security Releases Available
https://lists.samba.org/archive/samba-announce/2019/000481.html

Bug 13922 – (CVE-2019-12435) CVE-2019-12435 [SECURITY] zone operations can crash rpc server
https://bugzilla.samba.org/show_bug.cgi?id=13922

samba-4.10.4-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.10.4-security-2019-06-19.patch

samba-4.9.8-security-2019-06-19.patch
https://download.samba.org/pub/samba/patches/security/samba-4.9.8-security-2019-06-19.patch

CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation
https://github.com/samba-team/samba/commit/0b9da247534f735fa96141e9285fd22e0f2bb442

CVE-2019-12435 rpc/dns: avoid NULL deference if zone not found in DnssrvOperation2
https://github.com/samba-team/samba/commit/d32b96aeff0022c7a9052f15adbc7cd36643ca22

CVE-2019-12435
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12435

CVE-2019-12435
https://nvd.nist.gov/vuln/detail/CVE-2019-12435

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: June 20, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.