From SambaWiki
Revision as of 11:49, 2 November 2020 by Fraz (talk | contribs) (CVS-2020-14383)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

CVE-2020-14383 An authenticated user can crash the DCE/RPC DNS with easily crafted records

Advisory CVE-2020-14383


Subject:An authenticated user can crash the DCE/RPC DNS with easily crafted records
CVE ID#:CVE-2020-14383
Versions:Samba 4.0 and later
An authenticated non-admin user can crash the DNS server by adding invalid records.


Some DNS records (such as MX and NS records) usually contain data in the additional section. Samba's dnsserver RPC pipe (which is an administrative interface not used in the DNS server itself) made an error in handling the case where there are no records present: instead of noticing the lack of records, it dereferenced uninitialised memory, causing the RPC server to crash. This RPC server, which also serves protocols other than dnsserver, will be restarted after a short delay, but it is easy for an authenticated non-admin attacker to crash it again as soon as it returns. The Samba DNS server itself will continue to operate, but many RPC services will not.

Patch Availability

Patches addressing both these issues have been posted to:

Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.

CVSSv3 calculation

CVSSv3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)


The dnsserver task can be stopped by setting

'dcerpc endpoint servers = -dnsserver'

in the smb.conf and restarting Samba.


Originally reported by Francis Brosnan Blázquez of in 2017.

Patches first provided for Samba 4.6 by Francis Brosnan Blázquez, and adapted for modern Samba by Douglas Bagnall of the Samba team.


== Our Code, Our Bugs, Our Responsibility. == The Samba Team