Bugzilla – Bug 973036
VUL-0: CVE-2016-2115: samba: SMB client connections for IPC traffic are not integrity protected
Last modified: 2017-09-20 14:48:31 UTC
================================================================================== == Subject: SMB client connections for IPC traffic are not integrity protected == == CVE ID#: CVE-2016-2115 == == Versions: Samba 3.0.0 to 4.4.0 == == Summary: The protection of DCERPC communication over ncacn_np == (which is the default for most the file server related protocols) == is inherited from the underlying SMB connection. == Samba doesn't enforce SMB signing for this kind of == SMB connections by default, which makes man in the middle == attacks possible. == ================================================================================= =========== Description =========== Samba has an option called "client signing", this is turned off by default for performance reasons on file transfers. This option is also used when using DCERPC with ncacn_np. In order to get integrity protection for ipc related communication by default the "client ipc signing" option is introduced. The effective default for this new option is "mandatory". In order to be compatible with more SMB server implementations, the following additional options are introduced: "client ipc min protocol" ("NT1" by default) and "client ipc max protocol" (the highest support SMB2/3 dialect by default). These options overwrite the "client min protocol" and "client max protocol" options, because the default for "client max protocol" is still "NT1". The reason for this is the fact that all SMB2/3 support SMB signing, while there are still SMB1 implementations which don't offer SMB signing by default (this includes Samba versions before 4.0.0). Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing against active directory domain controllers despite of the "client signing" and "client ipc signing" options. =================== New smb.conf option =================== client ipc signing (G) This controls whether the client is allowed or required to use SMB signing for IPC$ connections as DCERPC transport. Possible values are auto, mandatory and disabled. When set to mandatory or default, SMB signing is required. When set to auto, SMB signing is offered, but not enforced and if set to disabled, SMB signing is not offered either. Connections from winbindd to Active Directory Domain Controllers always enforce signing. Default: client ipc signing = default client ipc max protocol (G) The value of the parameter (a string) is the highest protocol level that will be supported for IPC$ connections as DCERPC transport. Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. The value default refers to the latest supported protocol, currently SMB3_11. See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1. Default: client ipc max protocol = default Example: client ipc max protocol = SMB2_10 client ipc min protocol (G) This setting controls the minimum protocol version that the will be attempted to use for IPC$ connections as DCERPC transport. Normally this option should not be set as the automatic negotiation phase in the SMB protocol takes care of choosing the appropriate protocol. The value default refers to the higher value of NT1 and the effective value of "client min protocol". See client max protocol for a full list of available protocols. The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1. Default: client ipc min protocol = default Example: client ipc min protocol = SMB3_11 ================== ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== An explicit "client signing = mandatory" in the [global]. ======= Credits ======= This vulnerability was discovered and researched by Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org). He provides the fixes in collaboration with the Samba Team.
Is public: https://www.samba.org/samba/security/CVE-2016-2115.html
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available. Category: security (important) Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Server 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise High Availability 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Desktop 12 (src): samba-4.2.4-18.17.1
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE OpenStack Cloud 5 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager Proxy 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Server 11-SP4 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): samba-3.6.3-76.1
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Server 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise High Availability 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Desktop 12-SP1 (src): samba-4.2.4-16.1
This is an autogenerated message for OBS integration: This bug (973036) was mentioned in https://build.opensuse.org/request/show/389319 13.2 / samba
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Leap 42.1 (src): samba-4.2.4-15.1
This is an autogenerated message for OBS integration: This bug (973036) was mentioned in https://build.opensuse.org/request/show/389520 Factory / samba
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): samba-3.6.3-52.1, samba-doc-3.6.3-52.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): samba-3.6.3-52.1
statement from samba team: CVE-2016-2115: Still researching. It is likely to affect 3.4, but may not be relevant to 3.0, mainly because the security mechanism to be downgraded doesn't exist (meaning the version is inherently vulnerable and cannot be fixed). (not yet posting a note)
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.2 (src): samba-4.2.4-34.1
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.1 (src): samba-4.2.4-3.54.2
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Evergreen 11.4 (src): samba-3.6.3-141.1, samba-doc-3.6.3-141.1
are we done?
think so