Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 1849491 (CVE-2020-10745) - CVE-2020-10745 samba: Parsing and packing of NBT and DNS packets can consume excessive CPU
Summary: CVE-2020-10745 samba: Parsing and packing of NBT and DNS packets can consume ...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2020-10745
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1849492 1849493 1849494 1849495 1849496 1849497 1849498 1853256
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-06-22 05:01 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-09-16 08:15 UTC (History)
17 users (show)

Fixed In Version: samba 4.10.17, samba 4.11.11, samba 4.12.4
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Samba in the way it processed NetBios over TCP/IP. This flaw allows a remote attacker could to cause the Samba server to consume excessive CPU use, resulting in a denial of service. This highest threat from this vulnerability is to system availability.
Clone Of:
Environment:
Last Closed: 2020-07-02 09:38:28 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Samba Project 14378 0 None None None 2020-06-22 15:15:43 UTC

Description Huzaifa S. Sidhpurwala 2020-06-22 05:01:20 UTC
As per upstream advisory:

The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression.

An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very long internal list while trying to compress the reply.  This in in part because the traditional "." separator in DNS is not actually part of the DNS protocol, the limit of 128 components is exceeded by including "." inside the components.

Specifically, the longest label is 63 characters, and Samba enforces a limit of 128 components. That means you can make a query for the address with 127 components, each of which is "...............................................................".

In processing that query, Samba rewrites the name in dot-separated form, then converts it back to the wire format in order to reply. Unfortunately for Samba, it now finds the name is just 8127 dots, which it duly converts into over 8127 zero length labels.

Comment 1 Huzaifa S. Sidhpurwala 2020-06-22 05:01:24 UTC
Acknowledgments:

Name: the Samba project

Comment 6 Hardik Vyas 2020-06-30 13:42:22 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux and Red Hat Gluster Storage 3  because there is no support for samba as Active Directory Domain Controller.

Comment 11 Huzaifa S. Sidhpurwala 2020-07-02 09:32:49 UTC
External References:

https://www.samba.org/samba/security/CVE-2020-10745.html

Comment 12 Huzaifa S. Sidhpurwala 2020-07-02 09:33:33 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1853256]


Note You need to log in before you can comment on or make changes to this bug.