1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2023-42670.html:</H2>
15 ===========================================================
16 == Subject: Samba AD DC Busy RPC multiple listener DoS
18 == CVE ID#: CVE-2023-42670
20 == Versions: All versions of Samba since Samba 4.16
22 == Summary: Samba can be made to start multiple incompatible RPC
23 listeners, disrupting service on the AD DC.
24 ===========================================================
30 Samba as an Active Directory DC operates RPC services from two
31 distinct parts of the codebase. Those services focused on the AD DC
32 are started in the main "samba" process, while services focused on the
33 fileserver and NT4-like DC are started from the new samba-dcerpcd,
34 which is launched on-demand from the fileserver (smbd) tasks.
36 When starting, samba-dcerpcd must first confirm which services not to
37 provide, so as to avoid duplicate listeners.
39 The issue in this advisory is that, when Samba's RPC server is under
40 load, or otherwise not responding, the servers NOT built for the
41 AD DC (eg build instead for the NT4-emulation "classic DCs") can be
42 incorrectly started, and compete to listen on the same unix domain
45 This then results in some queries being answered by the AD DC, and
46 some not. This has been seen in production at multiple sites, as "The
47 procedure number is out of range" when starting Active Directory Users
48 and Computers tool, however it can also be triggered maliciously, to
49 prevent service on the AD DC.
55 Patches addressing both these issues have been posted to:
57 https://www.samba.org/samba/security/
59 Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
60 as security releases to correct the defect. Samba administrators are
61 advised to upgrade to these releases or apply the patch as soon
68 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
74 Setting "rpc start on demand helpers = no" in the smb.conf will
75 disable the file-server based RPC servers entirely. While used less
76 often, these services are required so this is not a long-term solution.
82 Originally reported by Kirin van der Veer of Planet Innovation and
83 diagnosed by Andrew Bartlett of Catalyst and the Samba Team.
85 Patches provided by Andrew Bartlett of Catalyst and the Samba Team.
87 Catalyst thanks Planet Innovation for supporting the production of
90 ==========================================================
91 == Our Code, Our Bugs, Our Responsibility.
93 ==========================================================