SMB client connections for IPC traffic are not integrity protected

Description

Samba has an option called “client signing”, this is turned off by default
for performance reasons on file transfers.

This option is also used when using DCERPC with ncacn_np.

In order to get integrity protection for ipc related communication
by default the “client ipc signing” option is introduced.
The effective default for this new option is “mandatory”.

In order to be compatible with more SMB server implementations,
the following additional options are introduced:
“client ipc min protocol” (“NT1” by default) and
“client ipc max protocol” (the highest support SMB2/3 dialect by default).
These options overwrite the “client min protocol” and “client max protocol”
options, because the default for “client max protocol” is still “NT1”.
The reason for this is the fact that all SMB2/3 support SMB signing,
while there are still SMB1 implementations which don’t offer SMB signing
by default (this includes Samba versions before 4.0.0).

Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
against active directory domain controllers despite of the
“client signing” and “client ipc signing” options.

New smb.conf option

client ipc signing (G)

This controls whether the client is allowed or required to use
SMB signing for IPC$ connections as DCERPC transport. Possible
values are auto, mandatory and disabled.

When set to mandatory or default, SMB signing is required.

When set to auto, SMB signing is offered, but not enforced and
if set to disabled, SMB signing is not offered either.

Connections from winbindd to Active Directory Domain Controllers
always enforce signing.

Default: client ipc signing = default

client ipc max protocol (G)

The value of the parameter (a string) is the highest protocol level that will
be supported for IPC$ connections as DCERPC transport.

Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.

The value default refers to the latest supported protocol, currently SMB3_11.

See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

Default: client ipc max protocol = default

Example: client ipc max protocol = SMB2_10

client ipc min protocol (G)

This setting controls the minimum protocol version that the will be
attempted to use for IPC$ connections as DCERPC transport.

Normally this option should not be set as the automatic negotiation phase
in the SMB protocol takes care of choosing the appropriate protocol.

The value default refers to the higher value of NT1 and the
effective value of "client min protocol".

See client max protocol for a full list of available protocols.
The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

Default: client ipc min protocol = default

Example: client ipc min protocol = SMB3_11

Patch Availability

A patch addressing this defect has been posted to

https://www.samba.org/samba/security/

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.

Workaround

An explicit “client signing = mandatory” in the [global].

Credits

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.