As per upstream samba advisory: Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. The following mitigation was suggested by upstream: When using the smbclient command, always add the argument "--signing=required" when using the "-e" or "--encrypt" argument. Alternatively, set the variable "client signing = mandatory" in the [global] section of the smb.conf file on any client using encrypted connections. To protect a Samba server exporting encrypted shares against a downgrade attack set the variable "smb encrypt = mandatory" in the smb.conf definition of the encrypted shares.
Acknowledgements: Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher of the Samba Team and Sernet.de as the original reporters.
Created samba tracking bugs for this issue: Affects: fedora-all [bug 1292069]
External References: https://www.samba.org/samba/security/CVE-2015-5296.html
Upstream commits: https://git.samba.org/?p=samba.git;a=commitdiff;h=d724f835acb9f4886c0001af32cd325dbbf1f895 https://git.samba.org/?p=samba.git;a=commitdiff;h=1ba49b8f389eda3414b14410c7fbcb4041ca06b1 https://git.samba.org/?p=samba.git;a=commitdiff;h=a819d2b440aafa3138d95ff6e8b824da885a70e9
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0010 https://rhn.redhat.com/errata/RHSA-2016-0010.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2016:0011 https://rhn.redhat.com/errata/RHSA-2016-0011.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2016:0006 https://rhn.redhat.com/errata/RHSA-2016-0006.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 7 Via RHSA-2016:0016 https://rhn.redhat.com/errata/RHSA-2016-0016.html
This issue has been addressed in the following products: Red Hat Gluster Storage 3.1 for RHEL 6 Via RHSA-2016:0015 https://rhn.redhat.com/errata/RHSA-2016-0015.html