Bugzilla – Bug 958581
VUL-0: CVE-2015-3223: samba: LDAP \00 search expression attack DoS in Samba 4.x
Last modified: 2016-04-17 13:14:37 UTC
combined patches are in bug 958586, will not attach them here.
QA REPRODUCER: I think I found a bug in Samba 4.x which allows a Denial of Service attack. You can trigger it simply by doing a LDAP search with a filter that matches "*\00". For example: ldapsearch -D user@domain -W 'cn=*\00' This command will hang and Samba will start to consume 100% CPU. No further LDAP opration will work until the samba service is restarted. This works with any authenticated user, probably also anonymous if anonymous LDAP operations are allowed (not tested).
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 17, 2015". When done, reassign the bug to "security-team@suse.de". /update/121110/.
An update workflow for this issue was started. This issue was rated as moderate. Please submit fixed packages until 2015-12-24. When done, reassign the bug to security-team@suse.de. https://swamp.suse.de/webswamp/wf/62372
An update workflow for this issue was started. This issue was rated as "important". Please submit fixed packages until "Dec. 17, 2015". When done, reassign the bug to "security-team@suse.de". /update/62372/.
bugbot adjusting priority
is public now https://www.samba.org/samba/security/CVE-2015-3223.html =========================================================== == Subject: Denial of service in Samba Active Directory == server. == == CVE ID#: CVE-2015-3223 == == Versions: Samba 4.0.0 to 4.3.2 == == Summary: Malicious request can cause Samba LDAP server == to hang, spinning using CPU. == =========================================================== =========== Description =========== All versions of Samba from 4.0.0 to 4.3.2 inclusive (resp. all ldb versions up to 1.1.23 inclusive) are vulnerable to a denial of service attack in the samba daemon LDAP server. A malicious client can send packets that cause the LDAP server in the samba daemon process to become unresponsive, preventing the server from servicing any other requests. This flaw is not exploitable beyond causing the code to loop expending CPU resources. ================== Patch Availability ================== Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 (resp. ldb 1.1.24) have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This problem was found by Thilo Uttendorfer of Linux Information Systems AG. The fix was created by Jeremy Allison of Google.
This is an autogenerated message for OBS integration: This bug (958581) was mentioned in https://build.opensuse.org/request/show/349211 Factory / samba
Technically it doesn't affect us, because it's the LDAP server that runs inside samba AD Domain controllers, which we don't ship. It could be built from our source rpm, though. @QA: We can't test this in our packages because we don't ship this function.
SUSE-SU-2015:2304-1: An update that solves 6 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 295284,773464,872912,901813,902421,910378,912457,913304,923374,931854,936909,939051,947552,949022,951660,953382,954658,958581,958582,958583,958584,958585,958586 CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1 SUSE Linux Enterprise Server 12 (src): ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1 SUSE Linux Enterprise Desktop 12 (src): ldb-1.1.24-4.3.1, samba-4.1.12-18.3.1, talloc-2.1.5-3.4.1, tdb-1.3.8-2.3.1, tevent-0.9.26-3.3.1
SUSE-SU-2015:2305-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 949022,951660,954658,958581,958582,958583,958584,958585,958586 CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1 SUSE Linux Enterprise Server 12-SP1 (src): ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1 SUSE Linux Enterprise Desktop 12-SP1 (src): ldb-1.1.24-4.1, samba-4.2.4-6.1, talloc-2.1.5-4.1, tdb-1.3.8-4.1, tevent-0.9.26-4.1
note this only affects AD DC, which we do not ship.
openSUSE-SU-2015:2354-1: An update that solves 6 vulnerabilities and has three fixes is now available. Category: security (important) Bug References: 949022,951660,954658,958581,958582,958583,958584,958585,958586 CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-8467 Sources used: openSUSE Leap 42.1 (src): ldb-1.1.24-7.1, samba-4.2.4-9.2, talloc-2.1.5-7.1, tdb-1.3.8-7.1, tevent-0.9.26-7.1
openSUSE-SU-2015:2356-1: An update that solves 7 vulnerabilities and has 6 fixes is now available. Category: security (important) Bug References: 939050,939051,949022,951660,953382,954658,958580,958581,958582,958583,958584,958585,958586 CVE References: CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-7540,CVE-2015-8467 Sources used: openSUSE 13.2 (src): ldb-1.1.24-3.4.1, samba-4.1.22-21.1, talloc-2.1.5-2.6.1, tdb-1.3.8-3.1, tevent-0.9.26-3.1 openSUSE 13.1 (src): ldb-1.1.24-3.7.1, samba-4.1.22-3.46.1, talloc-2.1.5-7.10.1, tdb-1.3.8-4.7.1, tevent-0.9.26-4.7.1
done
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.2 (src): samba-4.2.4-34.1