Bug 2019660 (CVE-2016-2124)

Summary: CVE-2016-2124 samba: SMB1 client connections can be downgraded to plaintext authentication
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dkarpele, gdeschner, hvyas, iboukris, jarrpa, jstephen, lmohanty, madam, pfilipen, puebele, rhs-smb, sbose, security-response-team, ssorce
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-29 13:08:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2019661, 2019662, 2019663, 2020163, 2021161, 2021162, 2021163, 2021711    
Bug Blocks: 1976705, 2022010    

Description Huzaifa S. Sidhpurwala 2021-11-03 03:54:46 UTC 
As per upstream advisory:

An attacker can downgrade a negotiated SMB1 client connection and its capabitilities.  Kerberos authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2.  Even if SMB signing is required it's still possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated.

The attacker is able to get the plaintext password sent over the wire even if Kerberos authentication was required.
Comment 3 Huzaifa S. Sidhpurwala 2021-11-10 02:46:14 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021711]
Comment 4 errata-xmlrpc 2021-11-29 12:36:07 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:4844 https://access.redhat.com/errata/RHSA-2021:4844
Comment 5 errata-xmlrpc 2021-11-29 12:36:16 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2021:4843 https://access.redhat.com/errata/RHSA-2021:4843
Comment 6 Product Security DevOps Team 2021-11-29 13:08:45 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-2124
Comment 7 Tomas Hoger 2021-12-01 18:36:42 UTC 
Upstream advisory:
https://www.samba.org/samba/security/CVE-2016-2124.html
Comment 8 errata-xmlrpc 2021-12-13 08:45:22 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5082 https://access.redhat.com/errata/RHSA-2021:5082
Comment 9 errata-xmlrpc 2021-12-16 17:12:04 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5192 https://access.redhat.com/errata/RHSA-2021:5192
Comment 10 errata-xmlrpc 2022-01-04 08:21:51 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0008 https://access.redhat.com/errata/RHSA-2022:0008
Comment 11 errata-xmlrpc 2022-01-11 16:27:34 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0074 https://access.redhat.com/errata/RHSA-2022:0074