Bug 1095048 (CVE-2018-1139)

Summary: VUL-0: CVE-2018-1139: samba: ntlmv1 auth available although disabled
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: James McDonough <jmcdonough>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aaptel, david.mulder, nopower, samba, scabrero, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/206644/
Whiteboard: CVSSv3:SUSE:CVE-2018-1139:5.8:(AV:A/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 12 Marcus Meissner 2018-08-14 09:00:44 UTC 
is now public

https://www.samba.org/samba/security/CVE-2018-1139.html


CVE-2018-1139.html

===========================================================
== Subject:     Weak authentication protocol allowed.
==
== CVE ID#:     CVE-2018-1139
==
== Versions:    Samba 4.7.0 - 4.8.3 (inclusive)
==
== Summary:     Samba 4.7 and 4.8 are affected by a vulnerability
==              that allows authentication via NTLMv1 even if disabled.
==
===========================================================

===========
Description
===========

Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which
allows authentication using NTLMv1 over an SMB1 transport (either
directory or via NETLOGON SamLogon calls from a member server), even
when NTLMv1 is explicitly disabled on the server.

Normally, the use of NTLMv1 is disabled by default in favor of NTLMv2.
This has been the default since Samba 4.5. A code restructuring in the
NTLM authentication implementation of Samba in 4.7.0 caused this
regression to occur.

Additionally, it is the responsbility of the client to send the
strongest authentication hash possible.  The server-side restrictions
primarily aid in ensuring consistent client policy.

Because by default clients using SMB2 or SMB1 when SPNEGO or NTLMSSP
is in use will chose a more recent authentication dialect (at least
so-called NTLM2 session security, and typically NTLMv2), this
oversight impacts only extreme mis-configurations or legacy clients
on early dialects of SMB1.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    http://www.samba.org/samba/security/

Samba versions 4.7.9 and 4.8.4 have been released with fixes for
this issue.

==========
Workaround
==========

None

=======
Credits
=======

This vulnerability was found by Vivek Das  from Red
Hat and was fixed by Stefan Metzmacher of SerNet and the Samba team
and Andrew Bartlett of Catalyst and the Samba team.
Comment 13 Swamp Workflow Management 2018-08-14 13:08:02 UTC 
SUSE-SU-2018:2318-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
Comment 14 Swamp Workflow Management 2018-08-17 10:12:38 UTC 
openSUSE-SU-2018:2400-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.8+git.86.94b6d10f7dd-lp150.3.6.1
Comment 15 James McDonough 2018-10-01 10:04:58 UTC 
shipped