cbcvebase.
CVE-2014-0239
published 2014-05-28

CVE-2014-0239: The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response…

PriorityP339medium5CVSS 2.0
AVNACLAuNCNINAP
EPSS
67.57%
99.2th percentile
The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103.

Affected

9 ranges
VendorProductVersion rangeFixed in
debiansamba< samba 2:4.1.8+dfsg-1 (bookworm)samba 2:4.1.8+dfsg-1 (bookworm)
linuxlinux_kernel>= 0 < 3.13.0-46.753.13.0-46.75
sambasamba>= 0 < 2:4.1.8+dfsg-12:4.1.8+dfsg-1
sambasamba>= 0 < 2:4.1.8+dfsg-12:4.1.8+dfsg-1
sambasamba>= 0 < 2:4.1.8+dfsg-12:4.1.8+dfsg-1
sambasamba>= 0 < 2:4.1.8+dfsg-12:4.1.8+dfsg-1
sambasamba>= 0 < 2:4.1.6+dfsg-1ubuntu2.14.04.22:4.1.6+dfsg-1ubuntu2.14.04.2
sambasamba>= 4.0.0 < 4.0.184.0.18
sambasamba>= 4.1.0 < 4.1.84.1.8

Detection & IOCsextracted from sources · hover to see the quote

  • Detect DNS response packets (QR bit set) sent to Samba's internal DNS server port (UDP/TCP 53); a forged response packet triggers a communication loop — monitor for abnormal CPU/bandwidth consumption on Samba AD DC hosts receiving DNS reply packets
  • The vulnerability is exploitable only when Samba's internal DNS server is in use (not BIND_DLZ backend); scope detection to Samba 4.x before 4.0.18 acting as an AD DC with the internal DNS server enabled
  • Two affected Samba servers can mutually DoS each other by bouncing forged DNS reply packets; look for pairs of Samba AD DC hosts generating sustained high-volume DNS traffic between them
  • ·Workaround available: switching to the BIND_DLZ DNS backend eliminates exposure to this vulnerability without patching
  • ·Only Samba deployments acting as an AD DC with the internal DNS server enabled are affected; standard Samba file-server builds (RHEL 5, 6, 7, Fedora 19/20) are not vulnerable
  • ·Fixed in Samba 4.0.18; Debian fix packaged as 2:4.1.8+dfsg-1

CVSS provenance

nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:N/A:P
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu3.5LOW
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.