|Summary:||CVE-2017-12151 samba: SMB2 connections don't keep encryption across DFS redirects|
|Product:||[Other] Security Response||Reporter:||Adam Mariš <amaris>|
|Component:||vulnerability||Assignee:||Red Hat Product Security <security-response-team>|
|Status:||CLOSED ERRATA||QA Contact:|
|Version:||unspecified||CC:||abokovoy, anoopcs, asn, gdeschner, jlayton, jrivera, lmohanty, madam, rhs-smb, sbose, security-response-team, sisharma, ssaha, ssorce, vbellur|
|Fixed In Version:||samba 4.4.16, samba 4.5.14, samba 4.6.8||Doc Type:||If docs needed, set a value|
A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
|Last Closed:||2019-06-08 03:23:59 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
|Bug Depends On:||1491213, 1491214, 1491769, 1493441|
Description Adam Mariš 2017-09-04 15:56:47 UTC
Client command line tools like 'smbclient' as well as applications using 'libsmbclient' library have support for required encryption. This is activated by the '-e|--encrypt' command line option or the smbc_setOptionSmbEncryptionLevel() library call. By default, only SMB1 is used in order to do connections to a server, as the effective default for "client max protocol" smb.conf option as well for the "-m|--max-protocol=" command line option is "NT1". If the original client connection used encryption, following DFS redirects to another server also enforce encryption. This is important as these redirects are transparent to the application. In case "SMB3", "SMB3_00", "SMB3_02", "SMB3_10" or "SMB3_11" is used as max protocol and a connection actually made use of the SMB3 encryption, any redirected connection looses the requirement for encryption and maybe also the requirement for signing. That means, a man in the middle can read and/or alter the content of the connection.
Comment 1 Adam Mariš 2017-09-04 15:56:54 UTC
Acknowledgments: Name: the Samba project Upstream: Stefan Metzmacher (SerNet)
Comment 2 Adam Mariš 2017-09-04 15:59:42 UTC
Mitigation: Keep the default of "client max protocol = NT1".
Comment 3 Huzaifa S. Sidhpurwala 2017-09-05 09:50:50 UTC
Statement: The samba4 package in Red Hat Enterprise Linux 6, is a tech preview and by default uses the SMB1 protocol, therefore though affected by this flaw, will not be addressed in a security update.
Comment 6 Huzaifa S. Sidhpurwala 2017-09-20 08:18:32 UTC
External References: https://www.samba.org/samba/security/CVE-2017-12151.html
Comment 7 Huzaifa S. Sidhpurwala 2017-09-20 08:21:21 UTC
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1493441]
Comment 8 errata-xmlrpc 2017-09-21 14:07:38 UTC
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2790 https://access.redhat.com/errata/RHSA-2017:2790