Avis du CERT RENATER

Par défaut, cette page vous affichera les derniers messages envoyés par le CERT RENATER à la communauté. Vous pouvez affiner par année ou par type de message. Si aucun critère n'est précisé, seuls les derniers messages sont affichés
Date : Fri, 8 Jul 2016 15:03:13 +0200
Type : VULN
Sujet : CERT-Renater : 2016/VULN273 (Samba : Client side SMB2/3 required signing can be downgraded)
===================================================================
                                  CERT-Renater

                      Note d'Information No. 2016/VULN273
_____________________________________________________________________

DATE                : 08/07/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Samba versions 4.0.0 up to
                                    and including 4.4.4.

=====================================================================
https://www.samba.org/samba/security/CVE-2016-2119.html
____________________________________________________________________

CVE-2016-2119.html:

=====================================================================
== Subject:     Client side SMB2/3 required signing can be downgraded
==
== CVE ID#:     CVE-2016-2119
==
== Versions:    Samba 4.0.0 to 4.4.4
==
== Summary:     A man in the middle attack can disable client signing
==              over SMB2/3, even if enforced by configuration
==              parameters.
==
=====================================================================

===========
Description
===========

It's possible for an attacker to downgrade the required signing for
an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
or SMB2_SESSION_FLAG_IS_NULL flags.

This means that the attacker can impersonate a server being connected
to by Samba, and return malicious results.

The primary concern is with winbindd, as it uses DCERPC over SMB2 when
talking to domain controllers as a member server, and trusted domains
as a domain controller.  These DCE/RPC connections were intended to
protected by the combination of "client ipc signing" and
"client ipc max protocol" in their effective default settings
("mandatory" and "SMB3_11").

Additionally, management tools like net, samba-tool and rpcclient use
DCERPC over SMB2/3 connections.

By default, other tools in Samba are unprotected, but rarely they are
configured to use smb signing, via the "client signing" parameter (the
default is "if_required").  Even more rarely the "client max protocol"
is set to SMB2, rather than the NT1 default.

If both these conditions are met, then this issue would also apply to
these other tools, including command line tools like smbcacls,
smbcquota, smbclient, smbget and applications using libsmbclient.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

   https://www.samba.org/samba/security/

Additionally, Samba 4.4.5, 4.3.11 and 4.2.14 have been issued as
security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Setting "client ipc max protocol = NT1".

If "client signing" is set to "mandatory"/"required",
remove an explicit setting of "client max protocol", which will default
to "NT1".

These changes should be reverted once the security fixes are applied.

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
he also provides the fixes.

==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================

[An attachment of type application/pkcs7-signature was included here]