Bugzilla – Bug 973032
VUL-0: CVE-2016-2111: samba: Microsoft's NETLOGON spoofing
Last modified: 2019-08-16 17:15:07 UTC
samba bug 11749
(EMBARGOED ADVISORY TEXT) ================================================================== == Subject: NETLOGON Spoofing Vulnerability. == == CVE ID#: CVE-2016-2111 == == Versions: Samba 3.0.0 to 4.4.0 == == Summary: When Samba is configured as Domain Controller it allows remote == attackers to spoof the computer name of a secure channel's == endpoints, and obtain sensitive session information, by running a == crafted application and leveraging the ability to sniff network == traffic. == ================================================================= =========== Description =========== It's basically the same as CVE-2015-0005 for Windows: The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability". The vulnerability in Samba is worse as it doesn't require credentials of a computer account in the domain. This only applies to Samba running as classic primary domain controller, classic backup domain controller or active directory domain controller. The security patches introduce a new option called "raw NTLMv2 auth" ("yes" or "no") for the [global] section in smb.conf. Samba (the smbd process) will reject client using raw NTLMv2 without using NTLMSSP. Note that this option also applies to Samba running as standalone server and member server. You should also consider using "lanman auth = no" (which is already the default) and "ntlm auth = no". Have a look at the smb.conf manpage for further details, as they might impact compatibility with older clients. These also apply for all server roles. =================== New smb.conf option =================== raw NTLMv2 auth (G) This parameter determines whether or not smbd(8) will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication. If this option, lanman auth and ntlm auth are all disabled, then only clients with SPNEGO support will be permitted. That means NTLMv2 is only supported within NTLMSSP. Default: raw NTLMv2 auth = no ================ Behavior changes ================ The following constraints are applied to SMB1 connections: - "client lanman auth = yes" is now consistently required for authenticated connections using the SMB1 LANMAN2 dialect. - "client ntlmv2 auth = yes" and "client use spnego = yes" (both the default values), require extended security (SPNEGO) support from the server. That means NTLMv2 is only used within NTLMSSP. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== None. ======= Credits ======= This vulnerability was discovered and researched by Alberto Solino from Core Security, but only reported it against Windows as CVE-2015-0005. Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org) provides the fixes in collaboration with the Samba Team.
Is public: https://www.samba.org/samba/security/CVE-2016-2111.html
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available. Category: security (important) Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Server 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise High Availability 12 (src): samba-4.2.4-18.17.1 SUSE Linux Enterprise Desktop 12 (src): samba-4.2.4-18.17.1
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE OpenStack Cloud 5 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager Proxy 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Manager 2.1 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Software Development Kit 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Software Development Kit 11-SP3 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Server 11-SP4 (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Server 11-SP3-LTSS (src): samba-3.6.3-76.1, samba-doc-3.6.3-76.2 SUSE Linux Enterprise Debuginfo 11-SP4 (src): samba-3.6.3-76.1 SUSE Linux Enterprise Debuginfo 11-SP3 (src): samba-3.6.3-76.1
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Software Development Kit 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Server 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise High Availability 12-SP1 (src): samba-4.2.4-16.1 SUSE Linux Enterprise Desktop 12-SP1 (src): samba-4.2.4-16.1
This is an autogenerated message for OBS integration: This bug (973032) was mentioned in https://build.opensuse.org/request/show/389319 13.2 / samba
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available. Category: security (important) Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Leap 42.1 (src): samba-4.2.4-15.1
This is an autogenerated message for OBS integration: This bug (973032) was mentioned in https://build.opensuse.org/request/show/389520 Factory / samba
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available. Category: security (important) Bug References: 936862,967017,971965,973031,973032,973033,973034,973036 CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: SUSE Linux Enterprise Server 11-SP2-LTSS (src): samba-3.6.3-52.1, samba-doc-3.6.3-52.1 SUSE Linux Enterprise Debuginfo 11-SP2 (src): samba-3.6.3-52.1
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available. Category: security (important) Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629 CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.2 (src): samba-4.2.4-34.1
SUSE-SU-2016:1105-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (important) Bug References: 913087,958582,973031,973032 CVE References: CVE-2015-5252,CVE-2016-2110,CVE-2016-2111 Sources used: SUSE Linux Enterprise Server 10 SP4 LTSS (src): samba-3.0.36-0.13.32.1, samba-doc-3.0.36-0.12.32.1
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE 13.1 (src): samba-4.2.4-3.54.2
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available. Category: security (important) Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036 CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118 Sources used: openSUSE Evergreen 11.4 (src): samba-3.6.3-141.1, samba-doc-3.6.3-141.1
are we done?
think so