==================================================================== == Subject: NULL pointer de-reference in Samba AD DC DNS servers == == CVE ID#: CVE-2018-16852 == == Versions: All versions of Samba from 4.9.0 onwards. == == Summary: A user able to create or modify dnsZone objects == can crash the Samba AD DC's DNS management RPC server, == DNS server or BIND9 when using Samba's DLZ plugin =================================================================== =========== Description =========== During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set, the server will follow a NULL pointer and terminate. There is no further vulnerability associated with this issue, merely a denial of service. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.9.3 has been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9) ========================= Workaround and mitigation ========================= None. Only users with write access to dnsZone objects can trigger this issue. ======= Credits ======= Originally reported by Fabrizio Faganello. Patches provided by Gary Lockyer of the Samba Team and Catalyst. =============================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ===============================================================