SonicWall Security Center
Share: Linkedin Share Facebook Like
Back to SonicALERT


Samba spoolss Service DoS (Apr 6, 2018)



Description


Samba is a free software re-implementation of the SMB/CIFS networking protocol, providing file and print services for various Microsoft Windows clients. A Null pointer Denial of Service vulnerability exists on Samba print service for Samba Team Samba 4.0.0 to 4.4.x, 4.5.x to 4.5.16, 4.6.x to 4.6.14 and 4.7.x to 4.7.6, which may cause a remote Denial of Service.

When Samba's deamon application, smbd, handling the printer server name, the 3 functions will be called: RpcEnumPrinterDrivers() -> _spoolss_EnumPrinterDrivers() -> canon_servername(). The RpcEnumPrinterDrivers request will be forwarded to the _spoolss_EnumPrinterDrivers() function to handle.


Figure 1: pname in the request

Afterwards, the canon_servername will be called to parse the pName - print server name. However because the _spoolss_EnumPrinterDrivers fails to check if the input variable is NULL, this will potentially cause a NULL pointer reference, causing the service to crash. As is shown in figure 2. An attacker could send such a request remotely, and cause Denial of Service on the remote service.


Figure 2: NULL reference that causes DoS

SonicWall Capture Labs Threat Research team has developed the following signature to identify and stop the attacks:

  • IPS 13280: Samba spoolss Service DoS



Back to top

Back to SonicALERT

Follow: Follow us on Facebook Follow us on Twitter Join the Conversation
#SonicWall
© 2018 SonicWall | Privacy Policy | Conditions for use | Feedback | Live Demo | SonicALERT | Document Library | Report Issues
Version: 13.15.5 | S2MSW06