Bug 973031 - (CVE-2016-2110) VUL-0: CVE-2016-2110: samba: NTLM-SSP auth. downgrade
(CVE-2016-2110)
VUL-0: CVE-2016-2110: samba: NTLM-SSP auth. downgrade
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-2113:4.3:(AV:A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-29 15:15 UTC by Marcus Meissner
Modified: 2016-05-25 07:31 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-04-04 08:25:58 UTC
==================================================================
== Subject:     Man in the middle attacks possible with NTLMSSP
==
== CVE ID#:     CVE-2016-2110
==
== Versions:    Samba 3.0.0 to 4.4.0
==
== Summary:     The feature negotiation of NTLMSSP is not
==              downgrade protected. A man in the middle is
==              able to clear even required flags, especially
==              NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL.
==              Which has implications on encrypted LDAP traffic.
==
=================================================================

===========
Description
===========

There are several man in the middle attacks possible with
NTLMSSP authentication.

E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
can be cleared by a man in the middle.

This was by protocol design in earlier Windows versions.

Windows Server 2003 RTM and Vista RTM introduced a way
to protect against the trivial downgrade.

See MsvAvFlags and flag 0x00000002 in
https://msdn.microsoft.com/en-us/library/cc236646.aspx

This new feature also implies support for a mechlistMIC
when used within SPNEGO, which may prevent downgrades
from other SPNEGO mechs, e.g. Kerberos, if sign or
seal is finally negotiated.

The Samba implementation doesn't enforce the existence of
required flags, which were requested by the application layer,
e.g. LDAP or SMB1 encryption (via the unix extensions).
As a result a man in the middle can take over the connection.
It is also possible to misguide client and/or
server to send unencrypted traffic even if encryption
was explicitly requested.

LDAP (with NTLMSSP authentication) is used as a client
by various admin tools of the Samba project,
e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...


As an active directory member server LDAP is also used
by the winbindd service when connecting to domain controllers.

Samba also offers an LDAP server when running as
active directory domain controller.

The NTLMSSP authentication used by the SMB1 encryption
is protected by smb signing, see CVE-2015-5296.

The following vulnerabilities are related:
CVE-2016-2112 and CVE-2016-2113

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
Comment 7 Johannes Segitz 2016-04-12 17:57:55 UTC
Is public: https://www.samba.org/samba/security/CVE-2016-2110.html
Comment 9 Swamp Workflow Management 2016-04-12 22:10:49 UTC
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Server 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.2.4-18.17.1
Comment 10 Swamp Workflow Management 2016-04-12 22:12:34 UTC
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-76.1
Comment 11 Swamp Workflow Management 2016-04-12 22:14:21 UTC
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-16.1
Comment 12 Bernhard Wiedemann 2016-04-13 11:00:47 UTC
This is an autogenerated message for OBS integration:
This bug (973031) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba
Comment 13 Swamp Workflow Management 2016-04-13 12:08:55 UTC
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-15.1
Comment 14 Bernhard Wiedemann 2016-04-13 15:00:35 UTC
This is an autogenerated message for OBS integration:
This bug (973031) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba
Comment 15 Swamp Workflow Management 2016-04-13 18:08:27 UTC
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-52.1, samba-doc-3.6.3-52.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-52.1
Comment 17 Swamp Workflow Management 2016-04-17 13:18:56 UTC
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1
Comment 18 Swamp Workflow Management 2016-04-19 19:08:19 UTC
SUSE-SU-2016:1105-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 913087,958582,973031,973032
CVE References: CVE-2015-5252,CVE-2016-2110,CVE-2016-2111
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    samba-3.0.36-0.13.32.1, samba-doc-3.0.36-0.12.32.1
Comment 19 Swamp Workflow Management 2016-04-20 10:10:11 UTC
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 20 Swamp Workflow Management 2016-04-20 10:13:17 UTC
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1
Comment 22 James McDonough 2016-05-08 11:32:47 UTC
are we done here?
Comment 23 Marcus Meissner 2016-05-25 07:31:55 UTC
think so