Bug 973033 - (CVE-2016-2112) VUL-0: CVE-2016-2112: samba: The LDAP client and server don't enforce integrity protection
(CVE-2016-2112)
VUL-0: CVE-2016-2112: samba: The LDAP client and server don't enforce integri...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
CVSSv2:RedHat:CVE-2016-2112:5.8:(AV:N...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-29 15:18 UTC by Marcus Meissner
Modified: 2017-09-14 22:40 UTC (History)
9 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2016-04-04 08:28:07 UTC
=============================================================================
== Subject:     The LDAP client and server don't enforce integrity protection
==
== CVE ID#:     CVE-2016-2112
==
== Versions:    Samba 3.0.0 to 4.4.0
==
== Summary:     A man in the middle is able to downgrade LDAP connections
==              to no integrity protection. It's possible to attack
==              client and server with this.
==
=============================================================================

===========
Description
===========

Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).

As active directory domain controller Samba also provides an LDAP server.

Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)
protection.

Samba has support for an option called "client ldap sasl wrapping" since version
3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.

Tools using the builtin LDAP client library do not obey the
"client ldap sasl wrapping" option. This applies to tools like:
"samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
options like "--sign" and "--encrypt". With the security update they will
also obey the "client ldap sasl wrapping" option as default.

In all cases, even if explicitly request via "client ldap sasl wrapping",
"--sign" or "--encrypt", the protection can be downgraded by a man in the
middle.

The LDAP server doesn't have an option to enforce strong authentication
yet. The security patches will introduce a new option called
"ldap server require strong auth", possible values are "no",
"allow_sasl_over_tls" and "yes".

As the default behavior was as "no" before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.

===================
New smb.conf option
===================

  ldap server require strong auth (G)

    The ldap server require strong auth defines whether the
    ldap server requires ldap traffic to be signed or
    signed and encrypted (sealed). Possible values are no,
    allow_sasl_over_tls and yes.

    A value of no allows simple and sasl binds over all transports.

    A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
    over TLS encrypted connections. Unencrypted connections only
    allow sasl binds with sign or seal.

    A value of yes allows only simple binds over TLS encrypted connections.
    Unencrypted connections only allow sasl binds with sign or seal.

    Default: ldap server require strong auth = yes

================
Behavior changes
================

  Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
  default of "client ldap sasl wrapping = sign". Even with
  "client ldap sasl wrapping = plain" they will automatically upgrade
  to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
  server.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
==========
Workaround
==========

None.

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
Comment 11 Johannes Segitz 2016-04-12 17:56:53 UTC
Is public: https://www.samba.org/samba/security/CVE-2016-2112.html
Comment 13 Swamp Workflow Management 2016-04-12 22:11:08 UTC
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Server 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.2.4-18.17.1
Comment 14 Swamp Workflow Management 2016-04-12 22:12:52 UTC
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-76.1
Comment 15 Swamp Workflow Management 2016-04-12 22:14:38 UTC
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-16.1
Comment 16 Bernhard Wiedemann 2016-04-13 11:00:58 UTC
This is an autogenerated message for OBS integration:
This bug (973033) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba
Comment 17 Swamp Workflow Management 2016-04-13 12:09:15 UTC
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-15.1
Comment 18 Bernhard Wiedemann 2016-04-13 15:00:48 UTC
This is an autogenerated message for OBS integration:
This bug (973033) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba
Comment 19 Swamp Workflow Management 2016-04-13 18:08:44 UTC
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-52.1, samba-doc-3.6.3-52.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-52.1
Comment 20 Swamp Workflow Management 2016-04-17 13:19:14 UTC
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1
Comment 21 Swamp Workflow Management 2016-04-20 10:10:31 UTC
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 22 Swamp Workflow Management 2016-04-20 10:13:37 UTC
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1
Comment 24 James McDonough 2016-05-08 11:34:51 UTC
are we done?
Comment 25 Marcus Meissner 2016-05-25 07:32:17 UTC
think so
Comment 27 James McDonough 2017-09-14 12:56:16 UTC
This only applies to the Domain controller and to other tools on the client side that we do not ship.  It is not relevant to 3.0 (but some of the codebase was already there for the tools for the domain controller, which is why it was listed).