[Samba] CVE-2019-14907 impact on smbd daemon

Andrew Bartlett abartlet at samba.org
Fri Jan 24 06:16:53 UTC 2020

On Fri, 2020-01-24 at 05:04 +0000, Madhappan, Silambarasan via samba
> Hi Team,
> I am looking for more clarity of the impact of CVE-2019-14907 on smbd daemon.
> On HP-UX we have not enabled AD DC feature.
> Detail announcement of CVE-2019-14907<https://www.samba.org/samba/security/CVE-2019-14907.html> provides below information.
> "(In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless)."
> Does it means only child process will be killed and smbd daemon will continue serving other client threads. ?


> Please provide more information on how a crash is harmless.

In smbd only the child process handles NTLMSSP, and we consider a NULL
pointer de-reference like this to be a 'self Denial Of Service' in that
case and so not a security concern.

On the other hand, this flaw is in common library code and an
exhaustive search for other callers across the code-base was not done,
mostly because this was such a line-ball call in the first place: 
running a server for long periods at log level 3 is pretty rare.

If you wanted to start such a search, I would note that there are
almost certainly code paths that do character conversion in long-lived
processes (eg nmbd, winbindd) and in the prefork children of the off-
by-default 'spoolssd' and 'lsassd' modes of smbd. 

I realise this is less definitive than you would have liked but hope
this clarifies things,

Andrew Bartlett
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list