Bug 968223 (CVE-2016-0771) - VUL-0: CVE-2016-0771: samba: Read of uninitialized memory DNS TXT handling
Summary: VUL-0: CVE-2016-0771: samba: Read of uninitialized memory DNS TXT handling
Status: RESOLVED WONTFIX
Alias: CVE-2016-0771
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Lars Müller
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-0771:4.3:(AV:A/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-02-25 11:08 UTC by Alexander Bergmann
Modified: 2016-03-18 13:13 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Alexander Bergmann 2016-02-29 13:54:11 UTC 
Closing bug as we are not affected.
Comment 3 Marcus Meissner 2016-03-08 13:43:57 UTC 
published by samba team
Comment 4 Marcus Meissner 2016-03-08 13:50:15 UTC 
is public now

===========================================================
== Subject:     Out-of-bounds read in internal DNS server
==
== CVE ID#:     CVE-2016-0771
==
== Versions:    Samba 4.0.0 to 4.4.0rc3
==
== Summary:     Malicious request can cause the Samba internal
==              DNS server to crash or unintentionally return
==              uninitialized memory.
==
===========================================================

===========
Description
===========

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records,
as "allow dns updates = secure only" is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

Use of the BIND DNS backend will avoid this issue.

=======
Credits
=======

This problem was found by Garming Sam and Douglas Bagnall of Catalyst IT
(www.catalyst.net.nz), with collaboration from the Samba-Team to provide
the fix.
Comment 5 Bernhard Wiedemann 2016-03-08 15:00:18 UTC 
This is an autogenerated message for OBS integration:
This bug (968223) was mentioned in
https://build.opensuse.org/request/show/368484 Factory / samba
Comment 6 Bernhard Wiedemann 2016-03-08 18:00:24 UTC 
This is an autogenerated message for OBS integration:
This bug (968223) was mentioned in
https://build.opensuse.org/request/show/368568 13.2 / samba
Comment 9 Swamp Workflow Management 2016-03-18 13:13:30 UTC 
openSUSE-SU-2016:0813-1: An update that solves two vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 953382,953972,968222,968223
CVE References: CVE-2015-7560,CVE-2016-0771
Sources used:
openSUSE 13.2 (src):    samba-4.1.23-31.1