7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.8%
Samba has support for TLS/SSL for some protocols:
ldap and http, but currently certificates are not
validated at all. While we have a โtls cafileโ option,
the configured certificate is not used to validate
the server certificate.
This applies to ldaps:// connections triggered by tools like:
โldbsearchโ, โldbeditโ and more. Note that it only applies
to the ldb tools when they are built as part of Samba or with Samba
extensions installed, which means the Samba builtin LDAP client library is
used.
It also applies to dcerpc client connections using ncacn_http (with https://),
which are only used by the openchange project. Support for ncacn_http
was introduced in version 4.2.0.
The security patches will introduce a new option called
โtls verify peerโ. Possible values are โno_checkโ, โca_onlyโ,
โca_and_name_if_availableโ, โca_and_nameโ and โas_strict_as_possibleโ.
If you use the self-signed certificates which are auto-generated
by Samba, you wonโt have a crl file and need to explicitly
set โtls verify peer = ca_and_nameโ.
tls verify peer (G)
This controls if and how strict the client will verify the peer's
certificate and name. Possible values are (in increasing order): no_check,
ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
When set to no_check the certificate is not verified at all,
which allows trivial man in the middle attacks.
When set to ca_only the certificate is verified to be signed from a ca
specified in the "tls ca file" option. Setting "tls ca file" to a valid file
is required. The certificate lifetime is also verified. If the "tls crl file"
option is configured, the certificate is also verified against
the ca crl.
When set to ca_and_name_if_available all checks from ca_only are performed.
In addition, the peer hostname is verified against the certificate's
name, if it is provided by the application layer and not given as
an ip address string.
When set to ca_and_name all checks from ca_and_name_if_available are performed.
In addition the peer hostname needs to be provided and even an ip
address is checked against the certificate's name.
When set to as_strict_as_possible all checks from ca_and_name are performed.
In addition the "tls crl file" needs to be configured. Future versions
of Samba may implement additional checks.
Default: tls verify peer = as_strict_as_possible
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
None.
This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
7.4 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
5.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
52.8%