Out-of-bounds read in internal DNS server

Description

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records,
as “allow dns updates = secure only” is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.

Patch Availability

A patch addressing this defect has been posted to

https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Workaround

Use of the BIND DNS backend will avoid this issue.

Credits

This problem was found by Garming Sam and Douglas Bagnall of Catalyst IT
(www.catalyst.net.nz), with collaboration from the Samba-Team to provide
the fix.