Samba spoolss Service DoS
Description
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.When Samba’s deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.
Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.When Samba’s deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.
Figure 1: pname in the request
Afterwards, the canon_servername will be called to parse the pName – print server name. However because the _spoolss_EnumPrinterDrivers fails to check if the input variable is NULL, this will potentially cause a NULL pointer reference, causing the service to crash. As is shown in figure 2. An attacker could send such a request remotely, and cause Denial of Service on the remote service.
Figure 2: NULL reference that causes DoS
SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:
- IPS 13280: Samba spoolss Service DoS
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.
