Empty UDP packet DoS in Samba AD DC nbtd

Description

The NetBIOS over TCP/IP name resolution protocol is implemented
as a UDP datagram on port 137.

The AD DC client and server-side processing code for NBT name resolution
will enter a tight loop if a UDP packet with 0 data length is
received. The client for this case is only found in the AD DC side of
the codebase, not that used by the the member server or file server.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba Samba 4.10.17, 4.11.11, and 4.12.4 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

Workaround and mitigation

The NBT server (UDP port 137) is provided by nmbd in the
file-server configuration, which is not impacted by this issue.

In the AD DC, the NBT server can be disabled with
‘disable netbios = yes’.

Credits

Originally reported by Martin von Wittich
<[email protected]> and Wilko Meyer <[email protected]>
of IServ GmbH.

Patches provided by Gary Lockyer of Catalyst and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team