CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
80.6%
During the processing of an DNS zone in the DNS management DCE/RPC
server, the internal DNS server or the Samba DLZ plugin for BIND9,
if the DSPROPERTY_ZONE_MASTER_SERVERS property or
DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will
follow a NULL pointer and terminate.
There is no further vulnerability associated with this issue, merely a
denial of service.
Patches addressing both these issues have been posted to:
http://www.samba.org/samba/security/
Additionally, Samba 4.9.3 has been issued as security releases
to correct the defect. Samba administrators are advised to
upgrade to these releases or apply the patch as soon as possible.
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9)
None. Only users with write access to dnsZone objects can trigger
this issue.
Originally reported by Fabrizio Faganello.
Patches provided by Gary Lockyer of the Samba Team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:M/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
80.6%