Think you have a false positive on this rule?

Sid 1-46848

Message

INDICATOR-COMPROMISE Possible Samba internal DNS forged response

Summary

This event is generated when an attacker attempts to trigger a denial of service in a Samba internal DNS resolver.

Impact

Detection of a Denial of Service Attack

CVE-2014-0239:

CVSS base score 5.0

CVSS impact score 2.9

CVSS exploitability score 10.0

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact PARTIAL

Detailed information

Rule checks for an attempt to trigger a denial of service in a Samba DNS resolver. CVE-2014-0239: The internal DNS server in Samba 4.x before 4.0.18 does not check the QR field in the header section of an incoming DNS message before sending a response, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged response packet that triggers a communication loop, a related issue to CVE-1999-0103.

Affected systems

  • samba samba 4.0.1
  • samba samba 4.0.2
  • samba samba 4.0.3
  • samba samba 4.0.4
  • samba samba 4.0.5
  • samba samba 4.0.6
  • samba samba 4.0.7
  • samba samba 4.0.8
  • samba samba 4.0.9
  • samba samba 4.0.10
  • samba samba 4.0.11
  • samba samba 4.0.12
  • samba samba 4.0.13
  • samba samba 4.0.14
  • samba samba 4.0.15
  • samba samba 4.0.16
  • samba samba 4.0.17

Ease of attack

CVE-2014-0239:

Access Vector NETWORK

Access Complexity LOW

Authentication NONE

False positives

False negatives

Corrective action

Contributors

  • Cisco's Talos Intelligence Group

Additional References