=========================================================== == Subject: Empty UDP packet DoS in Samba AD DC nbtd == == CVE ID#: CVE-2020-14303 == == Versions: All Samba versions since Samba 4.0.0 == == Summary: The AD DC NBT server in Samba 4.0 will enter a == CPU spin and not process further requests == once it receives a empty (zero-length) UDP == packet to port 137. =========================================================== =========== Description =========== The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137. The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received. The client for this case is only found in the AD DC side of the codebase, not that used by the the member server or file server. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba Samba 4.10.17, 4.11.11, and 4.12.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5) ========================= Workaround and mitigation ========================= The NBT server (UDP port 137) is provided by nmbd in the file-server configuration, which is not impacted by this issue. In the AD DC, the NBT server can be disabled with 'disable netbios = yes'. ======= Credits ======= Originally reported by Martin von Wittich <martin.von.wittich@iserv.eu> and Wilko Meyer <wilko.meyer@iserv.eu> of IServ GmbH. Patches provided by Gary Lockyer of Catalyst and the Samba Team. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================