Samba AD DC zone-named record Denial of

Description

The (poorly named) dnsserver RPC pipe provides administrative
facilities to modify DNS records and zones.

Samba, when acting as an AD DC, stores DNS records in LDAP.

In AD, the default permissions on the DNS partition allow creation of
new records by authenticated users. This is used for example to allow
machines to self-register in DNS.

If a DNS record was created that case-insensitively matched the name
of the zone, the ldb_qsort() and dns_name_compare() routines could be
confused into reading memory prior to the list of DNS entries when
responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so
following invalid memory as a pointer.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H (5.3)

Workaround

The dnsserver task can be stopped by setting
‘dcerpc endpoint servers = -dnsserver’
in the smb.conf and restarting Samba.

Credits

Originally reported by Andreas Oster.

Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team