936862 – (CVE-2015-5370) VUL-0: CVE-2015-5370: samba: RPC crash in dcesrv_auth_bind_ack() due to a missing error check on the return value of dcerpc_pull_auth_trailer() could lead to a remote denial-of-service

Bug 936862 (CVE-2015-5370) - VUL-0: CVE-2015-5370: samba: RPC crash in dcesrv_auth_bind_ack() due to a missing error check on the return value of dcerpc_pull_auth_trailer() could lead to a remote denial-of-service

Summary: VUL-0: CVE-2015-5370: samba: RPC crash in dcesrv_auth_bind_ack() due to a mis...

Status:	RESOLVED FIXED

Alias:	CVE-2015-5370

Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents (show other bugs)
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Deadline:	2015-12-24
Assignee:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	maint:running:62372:moderate maint...
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2015-07-02 10:57 UTC by Andreas Stieger
Modified:	2016-12-18 20:00 UTC (History)
CC List:	10 users (show)

See Also:
Found By:	Security Response Team
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Swamp Workflow Management 2015-07-02 22:00:45 UTC

bugbot adjusting priority

Comment 2 Andreas Stieger 2015-07-06 11:27:43 UTC

CVE assigned. Asking Samba team how to proceed.

Comment 9 Lars Müller 2015-12-09 16:47:26 UTC

This is still work in progress.

Comment 16 Marcus Meissner 2016-03-30 11:52:25 UTC

will also be in april update round
CRD: 2016-04-12

Comment 17 Marcus Meissner 2016-04-04 08:25:16 UTC

===========================================================
== Subject:     Multiple errors in DCE-RPC code.
==
== CVE ID#:     CVE-2015-5370
==
== Versions:    Samba versions 3.6.0 to 4.4.0
==
== Summary:     Errors in Samba DCE-RPC code can lead to
==              denial of service (crashes and high cpu
==              consumption) and man in the middle attacks.
==
===========================================================

===========
Description
===========

Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
denial of service attacks (crashes and high cpu consumption)
in the DCE-RPC client and server implementations. In addition,
errors in validation of the DCE-RPC packets can lead to a downgrade
of a secure connection to an insecure one.

The above applies all possible server roles Samba can operate in.

Note that versions before 3.6.0 had completely different marshalling
functions for the generic DCE-RPC layer. It's quite possible that
that code has similar problems!

The downgrade of a secure connection to an insecure one may
allow an attacker to take control of Active Directory object
handles created on a connection created from an Administrator
account and re-use them on the now non-privileged connection,
compromising the security of the Samba AD-DC.


==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

Thanks for Jouni Knuutinen from Synopsys for discovering and
reporting this security bug using the Defensics product.

The analysis of this problem was done by Jeremy Allison of
the Samba Team and Google (https://google.com), and Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team.
They provide the fixes in collaboration with the Samba Team
(https://www.samba.org).

Comment 23 Johannes Segitz 2016-04-12 17:58:43 UTC

Is public: https://www.samba.org/samba/security/CVE-2015-5370.html

Comment 25 Swamp Workflow Management 2016-04-12 22:09:02 UTC

SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Server 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.2.4-18.17.1

Comment 26 Swamp Workflow Management 2016-04-12 22:12:08 UTC

SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-76.1

Comment 27 Swamp Workflow Management 2016-04-12 22:13:45 UTC

SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-16.1

Comment 28 Bernhard Wiedemann 2016-04-13 11:00:29 UTC

This is an autogenerated message for OBS integration:
This bug (936862) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba

Comment 29 Swamp Workflow Management 2016-04-13 12:08:16 UTC

openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-15.1

Comment 30 Bernhard Wiedemann 2016-04-13 15:00:20 UTC

This is an autogenerated message for OBS integration:
This bug (936862) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba

Comment 31 Swamp Workflow Management 2016-04-13 18:07:58 UTC

SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-52.1, samba-doc-3.6.3-52.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-52.1

Comment 32 Swamp Workflow Management 2016-04-17 13:13:35 UTC

openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1

Comment 33 Swamp Workflow Management 2016-04-20 10:08:53 UTC

openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2

Comment 34 Swamp Workflow Management 2016-04-20 10:12:03 UTC

openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1

Comment 36 James McDonough 2016-05-08 11:33:48 UTC

are we done?

Comment 45 Marcus Meissner 2016-12-18 20:00:21 UTC

released