Bug 2035345 (CVE-2021-45100)

Summary: CVE-2021-45100 kernel: ksmbd server communicates in cleartext even though encryption has been enabled due to a violation of the SMB protocol specification
Product: [Other] Security Response Reporter: Guilherme de Almeida Suckevicz <gsuckevi>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: acaringi, adscvr, airlied, alciregi, bdettelb, bhu, brdeoliv, bskeggs, chwhite, crwood, dhoward, dvlasenk, fhrbata, fpacheco, hdegoede, hkrzesin, jarod, jarodwilson, jburrell, jeremy, jfaracco, jforbes, jglisse, jlelli, jonathan, josef, jshortt, jstancek, jwboyer, kcarcia, kernel-maint, kernel-mgr, lgoncalv, linville, lzampier, masami256, mchehab, nmurray, ptalbert, qzhao, rvrbovsk, scweaver, sgrubb, steved, vkumar, walters, williams
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
An unexpected, non-encrypted communication flaw in the Linux kernel's ksmbd (Samba 3 protocol implementation) subsystem was found in the way when user set flag SMB2_GLOBAL_CAP_ENCRYPTION using the SMB 3.1.1 protocol. If during connection flag SMB2_GLOBAL_CAP_ENCRYPTION being used by remote user, then for some conditions the connection becomes unencrypted.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2022-01-07 13:51:09 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2035346    
Bug Blocks: 2035347    

Description Guilherme de Almeida Suckevicz 2021-12-23 17:12:25 UTC 
The ksmbd server through 3.4.2, as used in the Linux kernel through 5.15.8, sometimes communicates in cleartext even though encryption has been enabled. This occurs because it sets the SMB2_GLOBAL_CAP_ENCRYPTION flag when using the SMB 3.1.1 protocol, which is a violation of the SMB protocol specification. When Windows 10 detects this protocol violation, it disables encryption.

Reference:
https://github.com/cifsd-team/ksmbd/issues/550

Upstream patches:
https://github.com/cifsd-team/ksmbd/pull/551
https://marc.info/?l=linux-kernel&m=163961726017023&w=2
Comment 1 Guilherme de Almeida Suckevicz 2021-12-23 17:12:59 UTC 
Created kernel tracking bugs for this issue:

Affects: fedora-all [bug 2035346]
Comment 2 Justin M. Forbes 2021-12-23 20:32:53 UTC 
# CONFIG_SMB_SERVER is not set in the 5.15 kernel series for Fedora.
Comment 3 Product Security DevOps Team 2022-01-07 13:51:05 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45100