Attachment 16898 Details for Bug 12444 – CVE-2016-2124-description-metze02.txt

CVE-2016-2124-description-metze02.txt

CVE-2016-2124-description-metze02.txt (text/plain), 3.31 KB, created by Stefan Metzmacher on 2021-10-29 13:19:08 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Stefan Metzmacher

Created: 2021-10-29 13:19:08 UTC

Size: 3.31 KB

patch

obsolete

>=====================================================================================
>== Subject:     SMB1 client connections can be downgraded to plaintext authentication
>==
>== CVE ID#:     CVE-2016-2124
>==
>== Versions:    Samba 3.0.0 to 4.15.1
>==
>== Summary:     A man in the middle attack can force the client side SMB1 code
>==              to fall-back to plaintext or NTLM based authentication even if
>==              Kerberos authentication was requested by the user or application.
>==
>=====================================================================================
>
>===========
>Description
>===========
>
>An attacker can downgrade a negotiated SMB1 client connection and its
>capabitilities.  Kerberos authentication is only possible with the
>SMB2/3 protocol or SMB1 using the NT1 dialect and the extended
>security (spnego) capability. Without mandatory SMB signing the
>protocol can be downgraded to an older insecure dialect like CORE,
>COREPLUS/CORE+, LANMAN1 or LANMAN2.  Even if SMB signing is required
>it's still possible to downgrade to the NT1 dialect if extended
>security (spnego) is not negotiated.
>
>The attacker is able to get the plaintext password send over the
>wire even if Kerberos authentication was required.
>
>The problem is only possible if all of the following options are
>explicitly set together:
>
>    client NTLMv2 auth = no
>    client lanman auth = yes
>    client plaintext auth = yes
>    client min protocol = NT1 # or lower
>
>In currently supported Samba versions all of the above options
>have different default values, so the problem is very unlikely
>to happen.
>
>Samba 4.5 and older had an additional problem, even in the default
>configuration, as they send ntlmv2, ntlm or lanman responses.
>Which means the attacker might be able to do offline attacks in order
>to recover the plaintext password, lmhash or nthash values.
>
>Requiring Kerberos authentication for SMB1/2/3 connections can be controlled
>by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line options of
>various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient,
>samba-tool and others. Note that 4.15 deprecated '-k/--kerberos*'
>and introduced '--use-kerberos=required' command line option
>as well as the smb.conf option "client use kerberos = required".
>
>For libsmbclient based applications the usage of Kerberos is controlled by
>the following function calls: smbc_setOptionUseKerberos(),
>smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin().
>
>==================
>Patch Availability
>==================
>
>A patch addressing this defect has been posted to
>
>  https://www.samba.org/samba/security/
>
>Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as
>security releases to correct the defect. Samba vendors and administrators
>running affected versions are advised to upgrade or apply the patch as
>soon as possible.
>
>==========
>Workaround
>==========
>
>Should have the following options at their default values:
>
>  client lanman auth = no
>  client NTLMv2 auth = yes
>  client plaintext auth = no
>  client min protocol = SMB2_02
>
>Or use the '-k' command line option only without the -U option,
>which will make use of an existing krb5 ccache.
>
>=======
>Credits
>=======
>
>This vulnerability was discovered and researched by Stefan Metzmacher of
>SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
>who also provides the fixes.

Flags:

asn: review+
jra: review-

Actions: View

Attachments on bug 12444: 16890 | 16891 | 16892 | 16893 | 16898 | 16902 | 16935 | 16937 | 16938 | 16939 | 16972 | 16976 | 16981