=========================================================== == Subject: Multiple errors in DCE-RPC code. == == CVE ID#: CVE-2015-5370 == == Versions: Samba versions 3.6.0 to 4.4.0 == == Summary: Errors in Samba DCE-RPC code can lead to == denial of service (crashes and high cpu == consumption) and man in the middle attacks. == It is unlikely but not impossible to trigger == remote code execution, which may result == in an impersonation on the client side. == =========================================================== =========== Description =========== Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks (crashes and high cpu consumption) in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an insecure one. While we think it is unlikely, there's a nonzero chance for a remote code execution attack against the client components, which are used by smbd, winbindd and tools like net, rpcclient and others. This may gain root access to the attacker. The above applies all possible server roles Samba can operate in. Note that versions before 3.6.0 had completely different marshalling functions for the generic DCE-RPC layer. It's quite possible that that code has similar problems! The downgrade of a secure connection to an insecure one may allow an attacker to take control of Active Directory object handles created on a connection created from an Administrator account and re-use them on the now non-privileged connection, compromising the security of the Samba AD-DC. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors, but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11. ========== Workaround ========== None. ======= Credits ======= Thanks for Jouni Knuutinen from Synopsys for discovering and reporting this security bug using the Defensics product. The analysis of this problem was done by Jeremy Allison of the Samba Team and Google (https://google.com), and Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team. They provide the fixes in collaboration with the Samba Team (https://www.samba.org).