Samba SecuritySAMBA:CVE-2016-2119Client side SMB2/3 required signing can be downgraded
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.3%
Description
It’s possible for an attacker to downgrade the required signing for
an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
or SMB2_SESSION_FLAG_IS_NULL flags.
This means that the attacker can impersonate a server being connected to by
Samba, and return malicious results.
The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
to domain controllers as a member server, and trusted domains as a domain
controller. These DCE/RPC connections were intended to protected by the
combination of “client ipc signing” and
“client ipc max protocol” in their effective default settings
(“mandatory” and “SMB3_11”).
Additionally, management tools like net, samba-tool and rpcclient use DCERPC
over SMB2/3 connections.
By default, other tools in Samba are unprotected, but rarely they are
configured to use smb signing, via the “client signing” parameter (the default
is “if_required”). Even more rarely the “client max protocol” is set to SMB2,
rather than the NT1 default.
If both these conditions are met, then this issue would also apply to these
other tools, including command line tools like smbcacls, smbcquota, smbclient,
smbget and applications using libsmbclient.
Patch Availability
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.5, 4.3.11 and 4.2.14 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Workaround
Setting “client ipc max protocol = NT1”.
If “client signing” is set to “mandatory”/“required”,
remove an explicit setting of “client max protocol”, which will default
to “NT1”.
These changes should be reverted once the security fixes are applied.
Credits
This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
he also provides the fixes.
Related
7.5 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
6.8 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:M/Au:N/C:P/I:P/A:P
0.005 Low
EPSS
Percentile
76.3%