3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
0.01 Low
EPSS
Percentile
83.7%
The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.
Samba, when acting as an AD DC, stores DNS records in LDAP.
In AD, the default permissions on the DNS partition allow creation of
new records by authenticated users. This is used for example to allow
machines to self-register in DNS.
If a DNS record was created that case-insensitively matched the name
of the zone, the ldb_qsort() and dns_name_compare() routines could be
confused into reading memory prior to the list of DNS entries when
responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so
following invalid memory as a pointer.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3)
The dnsserver task can be stopped by setting
‘dcerpc endpoint servers = -dnsserver’
in the smb.conf and restarting Samba.
Originally reported by Andreas Oster.
Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
3.5 Low
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H
0.01 Low
EPSS
Percentile
83.7%