5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
54.3%
There are several man in the middle attacks possible with
NTLMSSP authentication.
E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
can be cleared by a man in the middle.
This was by protocol design in earlier Windows versions.
Windows Server 2003 RTM and Vista RTM introduced a way
to protect against the trivial downgrade.
See MsvAvFlags and flag 0x00000002 in
https://msdn.microsoft.com/en-us/library/cc236646.aspx
This new feature also implies support for a mechlistMIC
when used within SPNEGO, which may prevent downgrades
from other SPNEGO mechs, e.g. Kerberos, if sign or
seal is finally negotiated.
The Samba implementation doesnโt enforce the existence of
required flags, which were requested by the application layer,
e.g. LDAP or SMB1 encryption (via the unix extensions).
As a result a man in the middle can take over the connection.
It is also possible to misguide client and/or
server to send unencrypted traffic even if encryption
was explicitly requested.
LDAP (with NTLMSSP authentication) is used as a client
by various admin tools of the Samba project,
e.g. โnetโ, โsamba-toolโ, โldbsearchโ, โldbeditโ, โฆ
As an active directory member server LDAP is also used
by the winbindd service when connecting to domain controllers.
Samba also offers an LDAP server when running as
active directory domain controller.
The NTLMSSP authentication used by the SMB1 encryption
is protected by smb signing, see CVE-2015-5296.
The following vulnerabilities are related:
CVE-2016-2112 and CVE-2016-2113
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
None.
This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.002 Low
EPSS
Percentile
54.3%