There are several code paths where the code doesn't enforce SMB signing: * The fixes for CVE-2015-5296 didn't apply the implied signing protection when enforcing encryption for commands like 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e'. * The python binding exported as 'samba.samba3.libsmb_samba_internal' doesn't make use of the "client signing" smb.conf option. * libgpo as well as 'net ads gpo' doesn't require SMB signing when fetching group policies. * Commandline tools like 'smbclient', 'smbcacls' and 'smbcquotas' allow a fallback to an anonymous connection when using the '--use-ccache' option and this happens even if SMB signing is required.
Acknowledgments: Name: the Samba project Upstream: Stefan Metzmacher (SerNet)
Mitigation: The missing implied signing for 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e' can be enforced by explicitly using '--signing=required' on the commandline or "client signing = required" in smb.conf.
External References: https://www.samba.org/samba/security/CVE-2017-12150.html
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1493441]
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2791 https://access.redhat.com/errata/RHSA-2017:2791
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2017:2790 https://access.redhat.com/errata/RHSA-2017:2790
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2017:2789 https://access.redhat.com/errata/RHSA-2017:2789
This issue has been addressed in the following products: Red Hat Gluster Storage 3.3 for RHEL 6 Red Hat Gluster Storage 3.3 for RHEL 7 Via RHSA-2017:2858 https://access.redhat.com/errata/RHSA-2017:2858