7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.032 Low
EPSS
Percentile
91.1%
The Security Account Manager Remote Protocol [MS-SAMR] and the
Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
are both vulnerable to man in the middle attacks. Both are application level
protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
These protocols are typically available on all Windows installations
as well as every Samba server. They are used to maintain
the Security Account Manager Database. This applies to all
roles, e.g. standalone, domain member, domain controller.
Any authenticated DCERPC connection a client initiates against a server
can be used by a man in the middle to impersonate the authenticated user
against the SAMR or LSAD service on the server.
The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
in this case. A man in the middle can change auth level to CONNECT
(which means authentication without message protection) and take over
the connection.
As a result, a man in the middle is able to get read/write access to the
Security Account Manager Database, which reveals all passwords
and any other potential sensitive information.
Samba running as an active directory domain controller is additionally
missing checks to enforce PKT_PRIVACY for the
Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
is not enforcing at least PKT_INTEGRITY.
allow dcerpc auth level connect (G)
This option controls whether DCERPC services are allowed to be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
message integrity nor privacy protection.
Some interfaces like samr, lsarpc and netlogon have a hard-coded default
of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
The behavior can be overwritten per interface name (e.g. lsarpc,
netlogon, samr, srvsvc, winreg, wkssvc ...) by using
'allow dcerpc auth level connect:interface = yes' as option.
This option yields precedence to the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
The default auth level for authenticated binds has changed from
DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
That means ncacn_ip_tcp:server is now implicitly the same
as ncacn_ip_tcp:server[sign] and offers a similar protection
as ncacn_np:server, which relies on smb signing.
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
You may lower risk by avoiding to login/authenticate with privileged accounts
over unprotected networks. Privileged accounts should only be used on the physical
console (server) console, so that authentication does not involve any network
communication.
If the machine is acting as client workstation you may restrict any incoming
network traffic by a firewall.
As this a multi-vendor problem we have decided to use one CVE number
per vendor:
This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.032 Low
EPSS
Percentile
91.1%