Lucene search

K
sambaSamba SecuritySAMBA:CVE-2023-42670
HistoryOct 10, 2023 - 12:00 a.m.

Samba AD DC Busy RPC multiple listener DoS

2023-10-1000:00:00
Samba Security
www.samba.org
19
samba
active directory
rpc
security
patch
vulnerability
workaround
advisory

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.5%

Description

Samba as an Active Directory DC operates RPC services from two
distinct parts of the codebase. Those services focused on the AD DC
are started in the main “samba” process, while services focused on the
fileserver and NT4-like DC are started from the new samba-dcerpcd,
which is launched on-demand from the fileserver (smbd) tasks.

When starting, samba-dcerpcd must first confirm which services not to
provide, so as to avoid duplicate listeners.

The issue in this advisory is that, when Samba’s RPC server is under
load, or otherwise not responding, the servers NOT built for the
AD DC (eg build instead for the NT4-emulation “classic DCs”) can be
incorrectly started, and compete to listen on the same unix domain
sockets.

This then results in some queries being answered by the AD DC, and
some not. This has been seen in production at multiple sites, as “The
procedure number is out of range” when starting Active Directory Users
and Computers tool, however it can also be triggered maliciously, to
prevent service on the AD DC.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

Workaround

Setting “rpc start on demand helpers = no” in the smb.conf will
disable the file-server based RPC servers entirely. While used less
often, these services are required so this is not a long-term solution.

Credits

Originally reported by Kirin van der Veer of Planet Innovation and
diagnosed by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Andrew Bartlett of Catalyst and the Samba Team.

Catalyst thanks Planet Innovation for supporting the production of
this security fix.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

EPSS

0.001

Percentile

33.5%