Bug 1351955 (CVE-2016-2119)
| Summary: | CVE-2016-2119 samba: Client side SMB2/3 required signing can be downgraded | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Huzaifa S. Sidhpurwala <huzaifas> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | asn, gdeschner, jarrpa, mdshaikh, rcyriac, sardella, sbose, security-response-team, sisharma |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | samba 4.4.5, samba 4.3.11, samba 4.2.14 | Doc Type: | Bug Fix |
| Doc Text: |
A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-07-27 07:14:14 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1351957, 1351959, 1351960, 1351961, 1351986, 1353504 | ||
| Bug Blocks: | 1351956 | ||
Acknowledgments: Name: the Samba project Upstream: Stefan Metzmacher Created samba tracking bugs for this issue: Affects: fedora-all [bug 1353504] samba-4.4.5-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report. samba-4.3.11-1.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report. Upstream commits: https://git.samba.org/?p=samba.git;a=commitdiff;h=46b5e4aca6adb12a27efaad3bfe66c2d8a82ec95 https://git.samba.org/?p=samba.git;a=commitdiff;h=94295b7aa22d2544af5323bca70d3dcb97fd7c64 https://git.samba.org/?p=samba.git;a=commitdiff;h=f7e1a590cc8246514445cb287541e6d5dca6c699 Upstream bug (still not public): https://bugzilla.samba.org/show_bug.cgi?id=11860 This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:1487 https://rhn.redhat.com/errata/RHSA-2016-1487.html This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:1486 https://rhn.redhat.com/errata/RHSA-2016-1486.html This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 7 Red Hat Gluster Storage 3.1 for RHEL 6 Via RHSA-2016:1494 https://rhn.redhat.com/errata/RHSA-2016-1494.html |
As per upstream advisory: It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags. This applies to the combination of "client ipc signing" and "client ipc max protocol" in their effective default settings ("mandatory" and "SMB3_11"). The combination of "client signing" and "client max protocol" is also affected, but only if "client signing" is explicitly set (as the effective default is "if_required") and "client max protocol" is explicitly set to SMB2 or higher.