samba: multiple issues

• CVE-2015-5370 (arbitrary code execution)

Multiple flaws were found in Samba’s DCE/RPC protocol implementation. A
remote, authenticated attacker could use these flaws to cause a denial
of service against the Samba server (high CPU load or a crash) or,
possibly, execute arbitrary code with the permissions of the user
running Samba (root). This flaw could also be used to downgrade a secure
DCE/RPC connection by a man-in-the-middle attacker taking control of an
Active Directory (AD) object and compromising the security of a Samba
Active Directory Domain Controller (DC).

• CVE-2016-2110 (man-in-the-middle)

Several flaws were found in Samba’s implementation of NTLMSSP
authentication. An unauthenticated, man-in-the-middle attacker could use
this flaw to clear the encryption and integrity flags of a connection,
causing data to be transmitted in plain text. The attacker could also
force the client or server into sending data in plain text even if
encryption was explicitly requested for that connection.

• CVE-2016-2111 (information disclosure)

An authentication flaw was found in Samba. When Samba is configured to
act as a Domain Controller, it allows remote attackers to spoof the
computer name of a secure channel’s endpoints. The attacker could
exploit this flaw to obtain sensitive session information by running a
crafted application and leveraging the ability to sniff network traffic.

• CVE-2016-2112 (man-in-the-middle)

It was found that Samba’s LDAP implementation did not enforce integrity
protection for LDAP connections. A man-in-the-middle attacker could use
this flaw to downgrade LDAP connections to use no integrity protection,
allowing them to hijack such connections.

• CVE-2016-2113 (man-in-the-middle)

It was found that while having a support for TLS/SSL for some protocols
like ldap and http, certificates are not validated at all. When having a
"tls cafile" option, configured certificate is not used to validate the
server certificate.

• CVE-2016-2114 (man-in-the-middle)

It was found that Samba based active directory domain controller does
not enforce smb signing and opens possibility for man-in-the-middle attacks.
When Samba is configured as a Domain Controller, the default for the
"server signing" should be "mandatory". During the early development of
Samba 4 a new experimental file server located under source4/smb_server
was used. But before the final 4.0.0 release upstream switched back to
the file server under source3/smbd. But the logic for the correct
default of "server signing" was not ported.

• CVE-2016-2115 (man-in-the-middle)

It was found that Samba did not enable integrity protection for IPC
traffic by default. A man-in-the-middle attacker could use this flaw to
view and modify the data sent between a Samba server and a client.

• CVE-2016-2118 (man-in-the-middle)

It was reported that various samba versions are vulnerable to man in the
middle attack where attacker can intercept any DCERPC traffic between a
client and a server in order to impersonate the client and get the same
privileges as the authenticated user account. This is most problematic
against active directory domain controllers.