samba: fix CVE-2023-42669

A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task. References: https://nvd.nist.gov/vuln/detail/CVE-2023-42669 Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
2026-06-13 17:39:57 +00:00 · 2023-11-22 04:55:24 +00:00
parent caef559130
commit 9843839b23
2 changed files with 95 additions and 0 deletions
@@ -0,0 +1,94 @@
+From 9989568b20c8f804140c22f51548d766a18ed887 Mon Sep 17 00:00:00 2001
+From: Andrew Bartlett <abartlet@samba.org>
+Date: Tue, 12 Sep 2023 18:59:44 +1200
+Subject: [PATCH] CVE-2023-42669 s4-rpc_server: Disable rpcecho server by
+ default
+
+The rpcecho server is useful in development and testing, but should never
+have been allowed into production, as it includes the facility to
+do a blocking sleep() in the single-threaded rpc worker.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15474
+
+Signed-off-by: Andrew Bartlett <abartlet@samba.org>
+
+CVE: CVE-2023-42669
+
+Upstream-Status: Backport [https://github.com/samba-team/samba/commit/9989568b20c8f804140c22f51548d766a18ed887]
+
+Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
+---
+ docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml | 2 +-
+ lib/param/loadparm.c                                   | 2 +-
+ selftest/target/Samba4.pm                              | 2 +-
+ source3/param/loadparm.c                               | 2 +-
+ source4/rpc_server/wscript_build                       | 3 ++-
+ 5 files changed, 6 insertions(+), 5 deletions(-)
+
+diff --git a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+index 8a217cc..c6642b7 100644
+--- a/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+++ b/docs-xml/smbdotconf/protocol/dcerpcendpointservers.xml
+@@ -6,6 +6,6 @@
+	<para>Specifies which DCE/RPC endpoint servers should be run.</para>
+ </description>
+
+-<value type="default">epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+<value type="default">epmapper, wkssvc, samr, netlogon, lsarpc, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver</value>
+ <value type="example">rpcecho</value>
+ </samba:parameter>
+diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
+index eedfa00..75687f5 100644
+--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
+@@ -2717,7 +2717,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
+	lpcfg_do_global_parameter(lp_ctx, "ntvfs handler", "unixuid default");
+	lpcfg_do_global_parameter(lp_ctx, "max connections", "0");
+
+-	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "dcerpc endpoint servers", "epmapper wkssvc  samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver");
+	lpcfg_do_global_parameter(lp_ctx, "server services", "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns");
+	lpcfg_do_global_parameter(lp_ctx, "kccsrv:samba_kcc", "true");
+	/* the winbind method for domain controllers is for both RODC
+diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
+index 651faa7..c7b33d2 100755
+--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
+@@ -773,7 +773,7 @@ sub provision_raw_step1($$)
+	wins support = yes
+	server role = $ctx->{server_role}
+	server services = +echo $services
+-        dcerpc endpoint servers = +winreg +srvsvc
+        dcerpc endpoint servers = +winreg +srvsvc +rpcecho
+	notify:inotify = false
+	ldb:nosync = true
+	ldap server require strong auth = yes
+diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
+index 8bcd35f..a99ab35 100644
+--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
+@@ -879,7 +879,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
+
+	Globals.server_services = str_list_make_v3_const(NULL, "s3fs rpc nbt wrepl ldap cldap kdc drepl winbindd ntp_signd kcc dnsupdate dns", NULL);
+
+-	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc rpcecho samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+	Globals.dcerpc_endpoint_servers = str_list_make_v3_const(NULL, "epmapper wkssvc  samr netlogon lsarpc drsuapi dssetup unixinfo browser eventlog6 backupkey dnsserver", NULL);
+
+	Globals.tls_enabled = true;
+	Globals.tls_verify_peer = TLS_VERIFY_PEER_AS_STRICT_AS_POSSIBLE;
+diff --git a/source4/rpc_server/wscript_build b/source4/rpc_server/wscript_build
+index 8c75672..a2520da 100644
+--- a/source4/rpc_server/wscript_build
+++ b/source4/rpc_server/wscript_build
+@@ -29,7 +29,8 @@ bld.SAMBA_MODULE('dcerpc_rpcecho',
+	source='echo/rpc_echo.c',
+	subsystem='dcerpc_server',
+	init_function='dcerpc_server_rpcecho_init',
+-	deps='ndr-standard events'
+    deps='ndr-standard events',
+    enabled=bld.CONFIG_GET('ENABLE_SELFTEST')
+	)
+
+
+--
+2.40.0
@@ -51,6 +51,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
           file://CVE-2023-34968_0011.patch \
           file://CVE-2023-4091-0001.patch \
           file://CVE-2023-4091-0002.patch \
+           file://CVE-2023-42669.patch \
           "

 SRC_URI:append:libc-musl = " \