Weak authentication protocol allowed.

ID SAMBA:CVE-2018-1139
Type samba
Reporter Samba
Modified 2018-08-14T00:00:00


Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which allows authentication using NTLMv1 over an SMB1 transport (either directory or via NETLOGON SamLogon calls from a member server), even when NTLMv1 is explicitly disabled on the server. Normally, the use of NTLMv1 is disabled by default in favor of NTLMv2. This has been the default since Samba 4.5. A code restructuring in the NTLM authentication implementation of Samba in 4.7.0 caused this regression to occur. Additionally, it is the responsbility of the client to send the strongest authentication hash possible. The server-side restrictions primarily aid in ensuring consistent client policy. Because by default clients using SMB2 or SMB1 when SPNEGO or NTLMSSP is in use will chose a more recent authentication dialect (at least so-called NTLM2 session security, and typically NTLMv2), this oversight impacts only extreme mis-configurations or legacy clients on early dialects of SMB1.