Bug 973032 – VUL-0: CVE-2016-2111: samba: Microsoft's NETLOGON spoofing

Bug 973032 - (CVE-2016-2111) VUL-0: CVE-2016-2111: samba: Microsoft's NETLOGON spoofing

(CVE-2016-2111)
Summary:	VUL-0: CVE-2016-2111: samba: Microsoft's NETLOGON spoofing

Status:	RESOLVED FIXED

Classification:	Novell Products
Product:	SUSE Security Incidents
Classification:	Novell Products
Component:	Incidents
Version:	unspecified
Hardware:	Other Other

Priority:	P2 - High Severity: Major
Target Milestone:	---
Assigned To:	Security Team bot
QA Contact:	Security Team bot

URL:
Whiteboard:	CVSSv2:RedHat:CVE-2016-2111:4.3:(AV:N...
Keywords:

Depends on:
Blocks:
	Show dependency tree / graph

Create test case

Clone This Bug

Reported:	2016-03-29 15:16 UTC by Marcus Meissner
Modified:	2019-08-16 17:15 UTC (History)
CC List:	8 users (show)

See Also:
Found By:	---
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Comment 1 Marcus Meissner 2016-03-29 15:16:46 UTC

samba bug 11749

Comment 2 Marcus Meissner 2016-04-04 08:24:39 UTC

(EMBARGOED ADVISORY TEXT)
==================================================================
== Subject:     NETLOGON Spoofing Vulnerability.
==
== CVE ID#:     CVE-2016-2111
==
== Versions:    Samba 3.0.0 to 4.4.0
==
== Summary:     When Samba is configured as Domain Controller it allows remote
==              attackers to spoof the computer name of a secure channel's
==              endpoints, and obtain sensitive session information, by running a
==              crafted application and leveraging the ability to sniff network
==              traffic.
==
=================================================================

===========
Description
===========

It's basically the same as CVE-2015-0005 for Windows:

  The NETLOGON service in Microsoft Windows Server 2003 SP2,
  Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
  and R2, when a Domain Controller is configured, allows remote
  attackers to spoof the computer name of a secure channel's
  endpoint, and obtain sensitive session information, by running a
  crafted application and leveraging the ability to sniff network
  traffic, aka "NETLOGON Spoofing Vulnerability".

The vulnerability in Samba is worse as it doesn't require
credentials of a computer account in the domain.

This only applies to Samba running as classic primary domain controller,
classic backup domain controller or active directory domain controller.

The security patches introduce a new option called "raw NTLMv2 auth"
("yes" or "no") for the [global] section in smb.conf.
Samba (the smbd process) will reject client using raw NTLMv2
without using NTLMSSP.

Note that this option also applies to Samba running as
standalone server and member server.

You should also consider using "lanman auth = no" (which is already the default)
and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
as they might impact compatibility with older clients. These also
apply for all server roles.

===================
New smb.conf option
===================

  raw NTLMv2 auth (G)

    This parameter determines whether or not smbd(8) will allow SMB1 clients
    without extended security (without SPNEGO) to use NTLMv2 authentication.

    If this option, lanman auth and ntlm auth are all disabled, then only
    clients with SPNEGO support will be permitted. That means NTLMv2 is only
    supported within NTLMSSP.

    Default: raw NTLMv2 auth = no

================
Behavior changes
================

  The following constraints are applied to SMB1 connections:

  - "client lanman auth = yes" is now consistently
    required for authenticated connections using the
    SMB1 LANMAN2 dialect.
  - "client ntlmv2 auth = yes" and "client use spnego = yes"
    (both the default values), require extended security (SPNEGO)
    support from the server. That means NTLMv2 is only used within
    NTLMSSP.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======

This vulnerability was discovered and researched by Alberto Solino from Core
Security, but only reported it against Windows as CVE-2015-0005.

Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team
(https://www.samba.org) provides the fixes in collaboration with the Samba Team.

Comment 8 Johannes Segitz 2016-04-12 17:57:26 UTC

Is public: https://www.samba.org/samba/security/CVE-2016-2111.html

Comment 10 Swamp Workflow Management 2016-04-12 22:11:00 UTC

SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Server 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.2.4-18.17.1

Comment 11 Swamp Workflow Management 2016-04-12 22:12:42 UTC

SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-76.1

Comment 12 Swamp Workflow Management 2016-04-12 22:14:30 UTC

SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-16.1

Comment 13 Bernhard Wiedemann 2016-04-13 11:00:53 UTC

This is an autogenerated message for OBS integration:
This bug (973032) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba

Comment 14 Swamp Workflow Management 2016-04-13 12:09:05 UTC

openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-15.1

Comment 15 Bernhard Wiedemann 2016-04-13 15:00:41 UTC

This is an autogenerated message for OBS integration:
This bug (973032) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba

Comment 16 Swamp Workflow Management 2016-04-13 18:08:36 UTC

SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-52.1, samba-doc-3.6.3-52.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-52.1

Comment 18 Swamp Workflow Management 2016-04-17 13:19:05 UTC

openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1

Comment 19 Swamp Workflow Management 2016-04-19 19:08:31 UTC

SUSE-SU-2016:1105-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 913087,958582,973031,973032
CVE References: CVE-2015-5252,CVE-2016-2110,CVE-2016-2111
Sources used:
SUSE Linux Enterprise Server 10 SP4 LTSS (src):    samba-3.0.36-0.13.32.1, samba-doc-3.0.36-0.12.32.1

Comment 20 Swamp Workflow Management 2016-04-20 10:10:20 UTC

openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2

Comment 21 Swamp Workflow Management 2016-04-20 10:13:26 UTC

openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1

Comment 23 James McDonough 2016-05-08 11:34:27 UTC

are we done?

Comment 24 Marcus Meissner 2016-05-25 07:32:05 UTC

think so