CVE-2019-14907: Samba - Security Announcement Archive

CVE-2019-14907.html:

=========================================================== == Subject: Crash after failed character conversion at == log level 3 or above == == CVE ID#: CVE-2019-14907 == == Versions: Samba 4.0 and later versions == == Summary: When processing untrusted string input Samba == can read past the end of the allocated buffer == when printing a “Conversion error” message == to the logs. ==
===========================================================

=========== Description ===========

If samba is set with “log level = 3” (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange.

In the Samba AD DC in particular, this may cause a long-lived process (such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless).

================== Patch Availability ==================

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

================== CVSSv3 calculation ==================

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (6.5)

========== Workaround ==========

Do not set a log level of 3 or above in production.

======= Credits =======

Originally reported by Robert Święcki using a fuzzer he wrote.

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================