Multiple errors in DCE-RPC code.

Description

Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
denial of service attacks (crashes and high cpu consumption)
in the DCE-RPC client and server implementations. In addition,
errors in validation of the DCE-RPC packets can lead to a downgrade
of a secure connection to an insecure one.

While we think it is unlikely, there’s a nonzero chance for
a remote code execution attack against the client components,
which are used by smbd, winbindd and tools like net, rpcclient and
others. This may gain root access to the attacker.

The above applies all possible server roles Samba can operate in.

Note that versions before 3.6.0 had completely different marshalling
functions for the generic DCE-RPC layer. It’s quite possible that
that code has similar problems!

The downgrade of a secure connection to an insecure one may
allow an attacker to take control of Active Directory object
handles created on a connection created from an Administrator
account and re-use them on the now non-privileged connection,
compromising the security of the Samba AD-DC.

Patch Availability

A patch addressing this defect has been posted to

https://www.samba.org/samba/security/

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.

Workaround

None.

Credits

Thanks for Jouni Knuutinen from Synopsys for discovering and
reporting this security bug using the Defensics product.

The analysis of this problem was done by Jeremy Allison of
the Samba Team and Google (https://google.com), and Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team.
They provide the fixes in collaboration with the Samba Team
(https://www.samba.org).