Samba SecuritySAMBA:CVE-2021-23192Subsequent DCE/RPC fragment injection vulnerability
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.5%
Description
Samba implements DCE/RPC, and in most cases it is provided over and
protected by the underlying SMB transport, with protections like ‘SMB
signing’.
However there are other cases where large DCE/RPC request payloads are exchanged
and fragmented into several pieces. If this happens over untrusted transports
(e.g. directly over TCP/IP or anonymous SMB) clients will typically
protect by an explicit authentication at the DCE/RPC layer, e.g. with
GSSAPI/Kerberos/NTLMSSP or Netlogon Secure Channel.
Because the checks on the fragment protection were not done between
the policy controls on the header and the subsequent fragments, an attacker
could replace subsequent fragments in requests with their own data, which
might be able to alter the server behaviour.
DCE/RPC is a core component of all Samba servers, but we are most
concerned about Samba as a Domain Controller, given the role as a
centrally trusted service.
As active directory domain controller this issue affects Samba versions greater
or equal to 4.10.0.
As NT4 classic domain controller, domain member or standalone server
this issue affects Samba versions greater or equal to 4.13.0.
Patch Availability
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSSv3 calculation
CVSS:3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N (4.8)
Workaround
Setting “dcesrv:max auth states=0” in the smb.conf will provide
some mitigation against this issue.
There are no known problems with this change as
NT4 classic domain controller, domain member or standalone server.
But it disables “Security Context Multiplexing” and may reopen
https://bugzilla.samba.org/show_bug.cgi?id=11892.
which means domain members running things like Cisco ISE or
VMWare View may no longer work. This applies only to
active directory domain controllers.
Credits
Originally reported by Stefan Metzmacher of SerNet
Patches provided by Stefan Metzmacher of SerNet and the Samba Team.
Advisory by Andrew Bartlett of Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:N/I:P/A:N
0.001 Low
EPSS
Percentile
40.5%