===================================================================================== == Subject: SMB1 client connections can be downgraded to plaintext authentication == == CVE ID#: CVE-2016-2124 == == Versions: Samba 3.0.0 to 4.15.1 == == Summary: A man in the middle attack can force the client side SMB1 code == to fall-back to plaintext or NTLM based authentication even if == Kerberos authentication was requested by the user or application. == ===================================================================================== =========== Description =========== An attacker can downgrade a negotiated SMB1 client connection and its capabitilities. Kerberos authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required it's still possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated. The attacker is able to get the plaintext password sent over the wire even if Kerberos authentication was required. The problem is only possible if all of the following options are explicitly set together: client NTLMv2 auth = no client lanman auth = yes client plaintext auth = yes client min protocol = NT1 # or lower In currently supported Samba versions all of the above options have different default values, so the problem is very unlikely to happen. Samba 4.5 and older had an additional problem, even in the default configuration, as they send ntlmv2, ntlm or lanman responses. Which means the attacker might be able to do offline attacks in order to recover the plaintext password, lmhash or nthash values. Requiring Kerberos authentication for SMB1/2/3 connections can be controlled by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line options of various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient, samba-tool and others. Note that 4.15 deprecated '-k/--kerberos*' and introduced '--use-kerberos=required' command line option as well as the smb.conf option "client use kerberos = required". For libsmbclient based applications the usage of Kerberos is controlled by the following function calls: smbc_setOptionUseKerberos(), smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin(). ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Ensure the following [global] smb.conf parameters are set to their default values as shown below: client lanman auth = no client NTLMv2 auth = yes client plaintext auth = no client min protocol = SMB2_02 Or use the '-k' command line option only without the -U option, which will make use of an existing krb5 ccache. ======= Credits ======= This vulnerability was discovered and researched by Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org), who also provides the fixes.