Bug 1058565 – VUL-0: CVE-2017-12151: samba: Keep required encryption across SMB3 dfs redirects

Bug 1058565 - (CVE-2017-12151) VUL-0: CVE-2017-12151: samba: Keep required encryption across SMB3 dfs redirects

(CVE-2017-12151)
Summary:	VUL-0: CVE-2017-12151: samba: Keep required encryption across SMB3 dfs redirects

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P3 - Medium Severity: Normal
Target Milestone:	---
Assigned To:	The 'Opening Windows to a Wider World' guys
QA Contact:	Security Team bot

URL:	https://smash.suse.de/issue/191975/
Whiteboard:	CVSSv2:SUSE:CVE-2017-12151:7.3:(AV:A/...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2017-09-13 16:08 UTC by Marcus Meissner
Modified:	2019-05-01 13:56 UTC (History)
CC List:	2 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Marcus Meissner 2017-09-13 19:57:46 UTC

CRD: 2017-09-20

Comment 3 Bernhard Wiedemann 2017-09-20 14:00:50 UTC

This is an autogenerated message for OBS integration:
This bug (1058565) was mentioned in
https://build.opensuse.org/request/show/527524 Factory / samba

Comment 4 Marcus Meissner 2017-09-20 14:34:12 UTC

is public now

https://www.samba.org/samba/security/CVE-2017-12151.html


CVE-2017-12151.html:

===============================================================================
== Subject:     SMB3 connections don't keep encryption across DFS redirects
==
== CVE ID#:     CVE-2017-12151
==
== Versions:    Samba 4.1.0 to 4.6.7
==
== Summary:     A man in the middle attack can read and may alter confidential
==              documents transferred via a client connection, which are reached
==              via DFS redirect when the original connection used SMB3.
==
================================================================================

===========
Description
===========

Client command line tools like 'smbclient' as well as applications
using 'libsmbclient' library have support for requiring
encryption. This is activated by the '-e|--encrypt' command line
option or the smbc_setOptionSmbEncryptionLevel() library call.

By default, only SMB1 is used in order to connect to a server, as the
effective default for "client max protocol" smb.conf option as well
for the "-m|--max-protocol=" command line option is "NT1".

If the original client connection used encryption, following DFS
redirects to another server should also enforce encryption. This is
important as these redirects are transparent to the application.

In the case where "SMB3", "SMB3_00", "SMB3_02", "SMB3_10" or "SMB3_11"
was used as max protocol and a connection actually made use of the
SMB3 encryption, any redirected connection would lose the requirement
for encryption and also the requirement for signing.  That means, a
man in the middle could read and/or alter the content of the
connection.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as
security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Keep the default of "client max protocol = NT1".

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher
of SerNet (https://samba.plus) and the Samba Team
(https://www.samba.org), who also provides the fixes.

Comment 6 Swamp Workflow Management 2017-10-05 19:08:03 UTC

SUSE-SU-2017:2650-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1042419,1044084,1050707,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-38.11.2
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-38.11.2
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-38.11.2
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.11.2
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-38.11.2

Comment 7 Swamp Workflow Management 2017-10-10 19:09:27 UTC

SUSE-SU-2017:2695-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050707,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.7+git.51.327af8d0a11-3.12.1
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.7+git.51.327af8d0a11-3.12.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.7+git.51.327af8d0a11-3.12.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.7+git.51.327af8d0a11-3.12.1

Comment 8 Swamp Workflow Management 2017-10-11 19:08:54 UTC

SUSE-SU-2017:2704-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1042419,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.44.2
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.44.2

Comment 9 Swamp Workflow Management 2017-10-11 22:10:50 UTC

openSUSE-SU-2017:2706-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1050707,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.7+git.51.327af8d0a11-6.1

Comment 10 Swamp Workflow Management 2017-10-11 22:21:17 UTC

openSUSE-SU-2017:2713-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1042419,1044084,1050707,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
openSUSE Leap 42.2 (src):    samba-4.4.2-11.12.1

Comment 11 Swamp Workflow Management 2017-10-14 19:10:14 UTC

SUSE-SU-2017:2726-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1042419,1058565,1058622,1058624
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
SUSE OpenStack Cloud 6 (src):    samba-4.2.4-28.19.3
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.19.3
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.19.3

Comment 12 Samuel Cabrero 2017-10-18 10:10:43 UTC

Can we close this now? I think it has been released for all products.

Comment 13 Marcus Meissner 2017-10-18 11:22:39 UTC

usually if you have submitted everything you reassign to security-team and we close it then.

It looks like we are all done here, so we can close.

Comment 14 Swamp Workflow Management 2017-11-10 14:08:10 UTC

SUSE-SU-2017:2971-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (moderate)
Bug References: 1042419,1058565,1058622,1058624,1064016,1065892
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163
Sources used:
SUSE OpenStack Cloud 6 (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.21.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.2.4-28.21.1

Comment 15 Swamp Workflow Management 2017-11-30 02:12:08 UTC

openSUSE-SU-2017:3143-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1058565,1058622,1058624,1060427,1063008,1065066
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163,CVE-2017-14746,CVE-2017-15275
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.9+git.59.c2cff9cea4c-9.1

Comment 16 Swamp Workflow Management 2017-11-30 11:19:38 UTC

SUSE-SU-2017:3155-1: An update that solves 5 vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1058565,1058622,1058624,1060427,1063008,1065066
CVE References: CVE-2017-12150,CVE-2017-12151,CVE-2017-12163,CVE-2017-14746,CVE-2017-15275
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1
SUSE Enterprise Storage 5 (src):    samba-4.6.9+git.59.c2cff9cea4c-3.17.1