CVE-2020-10745.html:

===========================================================
== Subject:     Parsing and packing of NBT and DNS packets
==              can consume excessive CPU in the AD DC (only)
==
== CVE ID#:     CVE-2020-10745
==
== Versions:    All Samba versions since 4.0.0
==
== Summary:     Compression of replies to NetBIOS over TCP/IP
==              name resolution and DNS packets (which can be
==              supplied as UDP requests) can be abused to
==              consume excessive amounts of CPU on the Samba
==              AD DC (only).
==
===========================================================

===========
Description
===========

The NetBIOS over TCP/IP name resolution protocol is framed using the
same format as DNS, and Samba's packing code for both uses DNS name
compression.

An attacker can choose a name which, when the name is included in the
reply, causes the DNS name compression algorithm to walk a very long
internal list while trying to compress the reply.  This in in part
because the traditional "." separator in DNS is not actually part of
the DNS protocol, the limit of 128 components is exceeded by including
"." inside the components.

Specifically, the longest label is 63 characters, and Samba enforces a
limit of 128 components. That means you can make a query for the
address with 127 components, each of which is
"...............................................................".

In processing that query, Samba rewrites the name in dot-separated
form, then converts it back to the wire format in order to
reply. Unfortunately for Samba, it now finds the name is just 8127
dots, which it duly converts into over 8127 zero length labels.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5)

==========
Workaround
==========

The vulnerable DNS server (port 53) and NBT server (port 139) is only
provided when Samba runs as an Active Directory DC.  The
implementation provided by nmbd in the file-server configuration is
not subject to this issue.  In the AD DC, the NBT server can be
disabled with 'disable netbios = yes'.

=======
Credits
=======

Found using Honggfuzz and triaged by Douglas Bagnall of Catalyst and
the Samba Team.

Patches provided by Douglas Bagnall of Catalyst and the Samba Team.

Advisory written by Andrew Bartlett and Douglas Bagnall of Catalyst
and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================