CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
73.0%
Samba 4.9 introduced an off-by-default feature to tombstone
dynamically created DNS records that had reached their expiry time.
This feature is controlled by the smb.conf option:
dns zone scavenging = yes
There is a use-after-free issue in this code, essentially due to a
call to realloc() while other local variables still point at the
original buffer.
The use is a read, but in quite unlikely conditions (due to NDR
validation unpacking the buffer) that read memory might be saved back
into the DB.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
The code in question is not run in the default configuration, so
the workaround is simply to not set
dns zone scavenging = yes
Originally reported by Christian Naumer.
Patches provided by Andrew Bartlett of the Samba team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPSS
Percentile
73.0%