Samba AD DC Denial of Service in DNS management server (dnsserver)

Description

The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.

An authenticated user can crash the RPC server process via a NULL
pointer de-reference.

There is no further vulnerability associated with this issue, merely a
denial of service.

Patch Availability

Patches addressing both these issues have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 4.9.9 and 4.10.5 have been issued as security
releases to correct the defect. Samba administrators are advised to
upgrade to these releases or apply the patch as soon as possible.

CVSSv3 calculation

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

Workaround

The dnsserver task can be stopped by setting
‘dcerpc endpoint servers = -dnsserver’
in the smb.conf and restarting Samba.

Credits

Originally reported by Coverity as CID 1418127, and triaged by Douglas
Bagnall of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team