CVE-2023-42669

Samba: "rpcecho" development server allows denial of service via sleep() call on ad dc

Severity Score

6.5

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

Track

*SSVC

Descriptions

A vulnerability was found in Samba's "rpcecho" development server, a non-Windows RPC server used to test Samba's DCE/RPC stack elements. This vulnerability stems from an RPC function that can be blocked indefinitely. The issue arises because the "rpcecho" service operates with only one worker in the main RPC task, allowing calls to the "rpcecho" server to be blocked for a specified time, causing service disruptions. This disruption is triggered by a "sleep()" call in the "dcesrv_echo_TestSleep()" function under specific conditions. Authenticated users or attackers can exploit this vulnerability to make calls to the "rpcecho" server, requesting it to block for a specified duration, effectively disrupting most services and leading to a complete denial of service on the AD DC. The DoS affects all other services as "rpcecho" runs in the main RPC task.

Se encontró una vulnerabilidad en el servidor de desarrollo "rpcecho" de Samba, un servidor RPC que no es de Windows utilizado para probar los elementos de la pila DCE/RPC de Samba. Esta vulnerabilidad se debe a una función RPC que puede bloquearse indefinidamente. El problema surge porque el servicio "rpcecho" opera con un solo trabajador en la tarea principal de RPC, lo que permite bloquear las llamadas al servidor "rpcecho" durante un tiempo específico, lo que provoca interrupciones en el servicio. Esta interrupción se desencadena mediante una llamada "sleep()" en la función "dcesrv_echo_TestSleep()" bajo condiciones específicas. Los usuarios autenticados o los atacantes pueden aprovechar esta vulnerabilidad para realizar llamadas al servidor "rpcecho", solicitándole que se bloquee durante un período específico, interrumpiendo efectivamente la mayoría de los servicios y provocando una denegación completa de servicio en AD DC. La DoS afecta a todos los demás servicios ya que "rpcecho" se ejecuta en la tarea principal de RPC.

USN-6425-1 fixed vulnerabilities in Samba. Due to a build issue on Ubuntu 20.04 LTS, the update introduced regressions in macro handling and possibly other functionality. This update fixes the problem. Sri Nagasubramanian discovered that the Samba acl_xattr VFS module incorrectly handled read-only files. When Samba is configured to ignore system ACLs, a remote attacker could possibly use this issue to truncate read-only files. Andrew Bartlett discovered that Samba incorrectly handled the DirSync control. A remote attacker with an RODC DC account could possibly use this issue to obtain all domain secrets. Andrew Bartlett discovered that Samba incorrectly handled the rpcecho development server. A remote attacker could possibly use this issue to cause Samba to stop responding, resulting in a denial of service. Kirin van der Veer discovered that Samba incorrectly handled certain RPC service listeners. A remote attacker could possibly use this issue to cause Samba to start multiple incompatible RPC listeners, resulting in a denial of service. This issue only affected Ubuntu 22.04 LTS, and Ubuntu 23.04.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

None

Integrity

None

Availability

High

Attack Vector

Network

Attack Complexity

Low

Authentication

Single

Confidentiality

None

Integrity

None

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:Track

Exploitation

None

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2023-09-13 CVE Reserved
2023-10-11 CVE Published
2024-11-23 CVE Updated
2025-03-30 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-400: Uncontrolled Resource Consumption

CAPEC

References (11)

URL	Tag	Source
https://bugzilla.samba.org/show_bug.cgi?id=15474	Issue Tracking
https://security.netapp.com/advisory/ntap-20231124-0002

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://access.redhat.com/errata/RHSA-2023:6209	2023-11-24
https://access.redhat.com/errata/RHSA-2023:6744	2023-11-24
https://access.redhat.com/errata/RHSA-2023:7371	2023-11-24
https://access.redhat.com/errata/RHSA-2023:7408	2023-11-24
https://access.redhat.com/errata/RHSA-2023:7464	2023-11-24
https://access.redhat.com/errata/RHSA-2023:7467	2023-11-24
https://access.redhat.com/security/cve/CVE-2023-42669	2023-11-22
https://bugzilla.redhat.com/show_bug.cgi?id=2241884	2023-11-22
https://www.samba.org/samba/security/CVE-2023-42669.html	2023-11-24

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.0.0 < 4.17.12 Search vendor "Samba" for product "Samba" and version " >= 4.0.0 < 4.17.12"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.18.0 < 4.18.8 Search vendor "Samba" for product "Samba" and version " >= 4.18.0 < 4.18.8"		-		Affected
Samba Search vendor "Samba"		Samba Search vendor "Samba" for product "Samba"				>= 4.19.0 < 4.19.1 Search vendor "Samba" for product "Samba" and version " >= 4.19.0 < 4.19.1"		-		Affected
Redhat Search vendor "Redhat"		Storage Search vendor "Redhat" for product "Storage"				3.0 Search vendor "Redhat" for product "Storage" and version "3.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				8.0 Search vendor "Redhat" for product "Enterprise Linux" and version "8.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Search vendor "Redhat" for product "Enterprise Linux"				9.0 Search vendor "Redhat" for product "Enterprise Linux" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux Eus Search vendor "Redhat" for product "Enterprise Linux Eus"				9.0 Search vendor "Redhat" for product "Enterprise Linux Eus" and version "9.0"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems"				9.0_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems" and version "9.0_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Ibm Z Systems Eus Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus"				9.0_s390x Search vendor "Redhat" for product "Enterprise Linux For Ibm Z Systems Eus" and version "9.0_s390x"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian"				9.0_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian" and version "9.0_ppc64le"		-		Affected
Redhat Search vendor "Redhat"		Enterprise Linux For Power Little Endian Eus Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus"				9.0_ppc64le Search vendor "Redhat" for product "Enterprise Linux For Power Little Endian Eus" and version "9.0_ppc64le"		-		Affected