Bug 973034 - (CVE-2016-2113) VUL-0: CVE-2016-2113: samba: Missing TLS certificate validation allows man in the middle attacks
(CVE-2016-2113)
VUL-0: CVE-2016-2113: samba: Missing TLS certificate validation allows man in...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P2 - High : Major
: ---
Assigned To: Security Team bot
Security Team bot
maint:released:oes2015:62621
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-03-29 15:19 UTC by Marcus Meissner
Modified: 2016-05-25 07:32 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-04-04 08:28:43 UTC
===================================================================================
== Subject:     Missing TLS certificate validation allows man in the middle attacks
==
== CVE ID#:     CVE-2016-2113
==
== Versions:    Samba 4.0.0 to 4.4.0
==
== Summary:     Man in the middle attacks are possible for client triggered LDAP
==              connections (with ldaps://) and ncacn_http connections
==              (with https://).
==
===================================================================================

===========
Description
===========

Samba has support for TLS/SSL for some protocols:
ldap and http, but currently certificates are not
validated at all. While we have a "tls cafile" option,
the configured certificate is not used to validate
the server certificate.

This applies to ldaps:// connections triggered by tools like:
"ldbsearch", "ldbedit" and more. Note that it only applies
to the ldb tools when they are built as part of Samba or with Samba
extensions installed, which means the Samba builtin LDAP client library is
used.

It also applies to dcerpc client connections using ncacn_http (with https://),
which are only used by the openchange project. Support for ncacn_http
was introduced in version 4.2.0.

The security patches will introduce a new option called
"tls verify peer". Possible values are "no_check", "ca_only",
"ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".

If you use the self-signed certificates which are auto-generated
by Samba, you won't have a crl file and need to explicitly
set "tls verify peer = ca_and_name".

===================
New smb.conf option
===================

  tls verify peer (G)

    This controls if and how strict the client will verify the peer's
    certificate and name. Possible values are (in increasing order): no_check,
    ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.

    When set to no_check the certificate is not verified at all,
    which allows trivial man in the middle attacks.

    When set to ca_only the certificate is verified to be signed from a ca
    specified in the "tls ca file" option. Setting "tls ca file" to a valid file
    is required. The certificate lifetime is also verified. If the "tls crl file"
    option is configured, the certificate is also verified against
    the ca crl.

    When set to ca_and_name_if_available all checks from ca_only are performed.
    In addition, the peer hostname is verified against the certificate's
    name, if it is provided by the application layer and not given as
    an ip address string.

    When set to ca_and_name all checks from ca_and_name_if_available are performed.
    In addition the peer hostname needs to be provided and even an ip
    address is checked against the certificate's name.

    When set to as_strict_as_possible all checks from ca_and_name are performed.
    In addition the "tls crl file" needs to be configured. Future versions
    of Samba may implement additional checks.

    Default: tls verify peer = as_strict_as_possible

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

None.

=======
Credits
=======


This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
Comment 7 Johannes Segitz 2016-04-12 17:55:56 UTC
Is public: https://www.samba.org/samba/security/CVE-2016-2113.html
Comment 9 Swamp Workflow Management 2016-04-12 22:11:18 UTC
SUSE-SU-2016:1022-1: An update that solves 7 vulnerabilities and has 13 fixes is now available.

Category: security (important)
Bug References: 320709,913547,919309,924519,936862,942716,946051,949022,964023,966271,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Server 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.17.1
SUSE Linux Enterprise Desktop 12 (src):    samba-4.2.4-18.17.1
Comment 10 Swamp Workflow Management 2016-04-12 22:13:02 UTC
SUSE-SU-2016:1023-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Manager 2.1 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Software Development Kit 11-SP3 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-76.1, samba-doc-3.6.3-76.2
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-76.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-76.1
Comment 11 Swamp Workflow Management 2016-04-12 22:14:46 UTC
SUSE-SU-2016:1024-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-16.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-16.1
Comment 12 Bernhard Wiedemann 2016-04-13 11:01:05 UTC
This is an autogenerated message for OBS integration:
This bug (973034) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba
Comment 13 Swamp Workflow Management 2016-04-13 12:09:25 UTC
openSUSE-SU-2016:1025-1: An update that solves 7 vulnerabilities and has 5 fixes is now available.

Category: security (important)
Bug References: 924519,936862,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-15.1
Comment 14 Bernhard Wiedemann 2016-04-13 15:00:54 UTC
This is an autogenerated message for OBS integration:
This bug (973034) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba
Comment 15 Swamp Workflow Management 2016-04-13 18:08:52 UTC
SUSE-SU-2016:1028-1: An update that solves 7 vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 936862,967017,971965,973031,973032,973033,973034,973036
CVE References: CVE-2015-5370,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-52.1, samba-doc-3.6.3-52.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-52.1
Comment 16 Marcus Meissner 2016-04-14 08:47:58 UTC
posting this note:

CVE-2016-2113 "We are not building the LDAP client tools of Samba currently. So this vulnerability does not affect SUSE Linux products."
Comment 17 Swamp Workflow Management 2016-04-17 13:19:23 UTC
openSUSE-SU-2016:1064-1: An update that solves 16 vulnerabilities and has 17 fixes is now available.

Category: security (important)
Bug References: 898031,901813,912457,913238,913547,914279,917376,919309,924519,936862,942716,946051,947552,949022,958581,958582,958583,958584,958585,958586,964023,966271,968222,968973,971965,972197,973031,973032,973033,973034,973036,973832,974629
CVE References: CVE-2014-8143,CVE-2015-0240,CVE-2015-3223,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2015-8467,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-34.1
Comment 18 Swamp Workflow Management 2016-04-20 10:10:45 UTC
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 19 Swamp Workflow Management 2016-04-20 10:13:48 UTC
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1
Comment 21 James McDonough 2016-05-08 11:35:33 UTC
are we done?
Comment 22 Marcus Meissner 2016-05-25 07:32:31 UTC
think so