Bug 986869 (CVE-2016-2119) - VUL-0: CVE-2016-2119: samba: Client side SMB2 signing downgrade
Summary: VUL-0: CVE-2016-2119: samba: Client side SMB2 signing downgrade
Status: RESOLVED FIXED
Alias: CVE-2016-2119
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL:
Whiteboard: CVSSv2:SUSE:CVE-2016-2119:4.3:(AV:A/A...
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-28 16:02 UTC by Marcus Meissner
Modified: 2016-12-22 13:30 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Swamp Workflow Management 2016-06-28 22:00:35 UTC 
bugbot adjusting priority
Comment 5 Marcus Meissner 2016-07-07 09:39:14 UTC 
public by samba team.

https://www.samba.org/samba/security/CVE-2016-2119.html


CVE-2016-2119.html:

=====================================================================
== Subject:     Client side SMB2/3 required signing can be downgraded
==
== CVE ID#:     CVE-2016-2119
==
== Versions:    Samba 4.0.0 to 4.4.4
==
== Summary:     A man in the middle attack can disable client signing
==              over SMB2/3, even if enforced by configuration
==              parameters.
==
=====================================================================

===========
Description
===========

It's possible for an attacker to downgrade the required signing for
an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
or SMB2_SESSION_FLAG_IS_NULL flags.

This means that the attacker can impersonate a server being connected to by
Samba, and return malicious results.

The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
to domain controllers as a member server, and trusted domains as a domain
controller.  These DCE/RPC connections were intended to protected by the
combination of "client ipc signing" and
"client ipc max protocol" in their effective default settings
("mandatory" and "SMB3_11").

Additionally, management tools like net, samba-tool and rpcclient use DCERPC
over SMB2/3 connections.

By default, other tools in Samba are unprotected, but rarely they are
configured to use smb signing, via the "client signing" parameter (the default
is "if_required").  Even more rarely the "client max protocol" is set to SMB2,
rather than the NT1 default.

If both these conditions are met, then this issue would also apply to these
other tools, including command line tools like smbcacls, smbcquota, smbclient,
smbget and applications using libsmbclient.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.5, 4.3.11 and 4.2.14 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

==========
Workaround
==========

Setting "client ipc max protocol = NT1".

If "client signing" is set to "mandatory"/"required",
remove an explicit setting of "client max protocol", which will default
to "NT1".

These changes should be reverted once the security fixes are applied.

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
he also provides the fixes.
Comment 6 James McDonough 2016-07-07 16:57:27 UTC 
submitted to: SLE-12, SLE-12-SP1, SLE-12-SP2, openSUSE 13.1, and Factory.  I believe 42.1 gets it from SLE-12-SP1 so I did not submit there.
Comment 8 Bernhard Wiedemann 2016-07-07 18:00:15 UTC 
This is an autogenerated message for OBS integration:
This bug (986869) was mentioned in
https://build.opensuse.org/request/show/407154 13.2 / samba
https://build.opensuse.org/request/show/407155 Factory / samba
Comment 9 Swamp Workflow Management 2016-07-19 19:09:36 UTC 
openSUSE-SU-2016:1830-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 969522,975131,986869
CVE References: CVE-2016-2119
Sources used:
openSUSE 13.2 (src):    samba-4.2.4-40.1
Comment 10 Swamp Workflow Management 2016-09-14 17:11:50 UTC 
SUSE-SU-2016:2306-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 969522,975131,981566,986228,986869,991564
CVE References: CVE-2016-2119
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-26.2
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-26.2
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-26.2
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-26.2
Comment 11 Swamp Workflow Management 2016-09-24 18:12:09 UTC 
openSUSE-SU-2016:2371-1: An update that solves one vulnerability and has 5 fixes is now available.

Category: security (moderate)
Bug References: 969522,975131,981566,986228,986869,991564
CVE References: CVE-2016-2119
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-21.3
Comment 12 Swamp Workflow Management 2016-10-19 20:09:50 UTC 
SUSE-SU-2016:2570-1: An update that solves one vulnerability and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1005065,969522,975131,981566,986228,986869,991564
CVE References: CVE-2016-2119
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.27.9
Comment 13 Marcus Meissner 2016-12-22 13:30:19 UTC 
released