Synopsys discovers CVE-2015-5370 in Samba’s DCE/RPC protocol implementation

With yesterday's full release of details about the much-discussed Badlock bug, one of the CVEs identified as related is attributed to Synopsys.

CVE-2015-5370 includes within its credits a call out for Jouni Knuutinen from Synopsys for "discovering and reporting this security bug using the Defensics product." Defensics works by automating the creation of malformed input and then identifying abnormalities within the results. The Synopsys tool is also credited with discovering the Heartbleed OpenSSL bug two years ago, among many other high profile vulnerabilities.

According to the release, versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial-of-service (DoS) attacks in the DCE-RPC client and server implementations. This can lead to crashes and high CPU consumption. In addition, there are errors in validation of the DCE-RPC packets that can lead to a downgrade of a secure connection to an insecure one.

The advisory states that this vulnerability is unlikely to be exploited, however, if it is, there is a chance for a remote code execution attack, which may gain root access for the attacker, against the client components used by smbd and winbindd, and tools like net, rpcclient, and others.

On Tuesday, Samba issued versions 4.4.2, 4.3.8, and 4.2.11 as security releases to correct the defect.