=========================================================== == Subject: Parsing and packing of NBT and DNS packets == can consume excessive CPU in the AD DC (only) == == CVE ID#: CVE-2020-10745 == == Versions: All Samba versions since 4.0.0 == == Summary: Compression of replies to NetBIOS over TCP/IP == name resolution and DNS packets (which can be == supplied as UDP requests) can be abused to == consume excessive amounts of CPU on the Samba == AD DC (only). == =========================================================== =========== Description =========== The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very long internal list while trying to compress the reply. This in in part because the traditional "." separator in DNS is not actually part of the DNS protocol, the limit of 128 components is exceeded by including "." inside the components. Specifically, the longest label is 63 characters, and Samba enforces a limit of 128 components. That means you can make a query for the address with 127 components, each of which is "...............................................................". In processing that query, Samba rewrites the name in dot-separated form, then converts it back to the wire format in order to reply. Unfortunately for Samba, it now finds the name is just 8127 dots, which it duly converts into over 8127 zero length labels. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========== Workaround ========== The vulnerable DNS server (port 53) and NBT server (port 139) is only provided when Samba runs as an Active Directory DC. The implementation provided by nmbd in the file-server configuration is not subject to this issue. In the AD DC, the NBT server can be disabled with 'disable netbios = yes'. ======= Credits ======= Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and the Samba Team. Patches provided by Douglas Bagnall of Catalyst and the Samba Team. Advisory written by Andrew Bartlett and Douglas Bagnall of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================