Bug 973035 (CVE-2016-2114) - VUL-0: CVE-2016-2114: samba: "server signing = mandatory" not enforced
Summary: VUL-0: CVE-2016-2114: samba: "server signing = mandatory" not enforced
Status: RESOLVED FIXED
Alias: CVE-2016-2114
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P2 - High : Major
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:RedHat:CVE-2016-2114:5.8:(AV:N...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-03-29 15:20 UTC by Marcus Meissner
Modified: 2016-05-11 15:19 UTC (History)
8 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Marcus Meissner 2016-04-04 08:29:13 UTC 
==============================================================
== Subject:     "server signing = mandatory" not enforced
==
== CVE ID#:     CVE-2016-2114
==
== Versions:    Samba 4.0.0 to 4.4.0
==
== Summary:     Due to a bug Samba doesn't enforce required
==              smb signing, even if explicitly configured. In
==              addition the default for the active directory
==              domain controller case was wrong.
==
==============================================================

===========
Description
===========

Due to a regression introduced in Samba 4.0.0,
an explicit "server signing = mandatory" in the [global] section
of the smb.conf was not enforced for clients using the SMB1 protocol.

As a result it does not enforce smb signing and allows man in the middle attacks.

This problem applies to all possible server roles:
standalone server, member server, classic primary domain controller,
classic backup domain controller and active directory domain controller.

In addition, when Samba is configured with "server role = active directory domain controller"
the effective default for the "server signing" option should be "mandatory".

During the early development of Samba 4 we had a new experimental
file server located under source4/smb_server. But before
the final 4.0.0 release we switched back to the file server
under source3/smbd.

But the logic for the correct default of "server signing" was not
ported correctly ported.

Note that the default for server roles other than active directory domain
controller, is "off" because of performance reasons.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/


Additionally, Samba 4.4.1, 4.3.7 and 4.2.10 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

An explicit "server signing = mandatory" in the [global]
together with "server min protocol = SMB2", should prevent
connections without signing protection. But that means
older clients without support for SMB2 (or higher) might
become unable to connect.

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
Comment 8 Bernhard Wiedemann 2016-04-13 11:01:11 UTC 
This is an autogenerated message for OBS integration:
This bug (973035) was mentioned in
https://build.opensuse.org/request/show/389319 13.2 / samba
Comment 10 Bernhard Wiedemann 2016-04-13 15:01:01 UTC 
This is an autogenerated message for OBS integration:
This bug (973035) was mentioned in
https://build.opensuse.org/request/show/389520 Factory / samba
Comment 11 Marcus Meissner 2016-04-14 08:28:50 UTC 
as we are not shipping the component, so we could consider this "resolved upstream"

note posted:
CVE-2016-2114,20160413,NOTE:We have not shipped the affected component so far, so SUSE has not been affected by this problem.
Comment 12 Swamp Workflow Management 2016-04-20 10:10:55 UTC 
openSUSE-SU-2016:1106-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE 13.1 (src):    samba-4.2.4-3.54.2
Comment 13 Swamp Workflow Management 2016-04-20 10:13:57 UTC 
openSUSE-SU-2016:1107-1: An update that fixes 17 vulnerabilities is now available.

Category: security (important)
Bug References: 844720,849224,853347,917376,936862,958582,958583,958584,958586,968222,971965,973031,973032,973033,973034,973035,973036
CVE References: CVE-2012-6150,CVE-2013-4408,CVE-2013-4496,CVE-2015-0240,CVE-2015-5252,CVE-2015-5296,CVE-2015-5299,CVE-2015-5330,CVE-2015-5370,CVE-2015-7560,CVE-2016-2110,CVE-2016-2111,CVE-2016-2112,CVE-2016-2113,CVE-2016-2114,CVE-2016-2115,CVE-2016-2118
Sources used:
openSUSE Evergreen 11.4 (src):    samba-3.6.3-141.1, samba-doc-3.6.3-141.1
Comment 14 James McDonough 2016-05-08 11:37:31 UTC 
are we done?
Comment 15 Marcus Meissner 2016-05-11 15:14:08 UTC 
we have not fixed this anywhere as we did not ship the component.

but I think its done.