Parsing and packing of NBT and DNS packets

2020-07-0200:00:00

Samba Security

www.samba.org

0.025 Low

EPSS

Percentile

90.1%

JSON

Description

The NetBIOS over TCP/IP name resolution protocol is framed using the
same format as DNS, and Samba’s packing code for both uses DNS name
compression.

An attacker can choose a name which, when the name is included in the
reply, causes the DNS name compression algorithm to walk a very long
internal list while trying to compress the reply. This in in part
because the traditional “.” separator in DNS is not actually part of
the DNS protocol, the limit of 128 components is exceeded by including
“.” inside the components.

Specifically, the longest label is 63 characters, and Samba enforces a
limit of 128 components. That means you can make a query for the
address with 127 components, each of which is
“…”.

In processing that query, Samba rewrites the name in dot-separated
form, then converts it back to the wire format in order to
reply. Unfortunately for Samba, it now finds the name is just 8127
dots, which it duly converts into over 8127 zero length labels.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

CVSSv3 calculation

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

Workaround

The vulnerable DNS server (port 53) and NBT server (port 139) is only
provided when Samba runs as an Active Directory DC. The
implementation provided by nmbd in the file-server configuration is
not subject to this issue. In the AD DC, the NBT server can be
disabled with ‘disable netbios = yes’.