The Samba-Bugzilla – Attachment 17964 Details for
Bug 15397
[SECURITY] CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set.
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v2
CVE-2023-3347-security_advisory.txt (text/plain), 2.38 KB, created by
Ralph Böhme
on 2023-06-29 08:41:00 UTC
(
hide
)
Description:
Advisory v2
Filename:
MIME Type:
Creator:
Ralph Böhme
Created:
2023-06-29 08:41:00 UTC
Size:
2.38 KB
patch
obsolete
> > >TODO: $VERSION > > >============================================================ >== Subject: SMB2 packet signing not enforced >== >== CVE ID#: CVE-2023-3347 >== >== Versions: All versions starting with 4.17.0 >== >== Summary: SMB2 packet signing is not enforced if an >== admin configured "server signing = required" >== or for SMB2 connections to Domain Controllers >== where SMB2 packet signing is mandatory. >============================================================ > >=========== >Description >=========== > >SMB2 packet signing is not enforced if an admin configured >"server signing = required" or for SMB2 connections to Domain >Controllers where SMB2 packet signing is mandatory. > >SMB2 packet signing is a mechanism that ensures the integrity >and authenticity of data exchanged between a client and a >server using the SMB2 protocol. > >It provides protection against certain types of attacks, such >as man-in-the-middle attacks, where an attacker intercepts >network traffic and modifies the SMB2 messages. > >Both client and server of an SMB2 connection can require that >signing is being used. The server-side setting in Samba to >configure signing to be required is "server signing = >required". Note that on an Samba AD DCs this is also the >default for all SMB2 connections. > >Unless the client requires signing which would result in >signing being used on the SMB2 connection, sensitive data >might have been modified by an attacker. > >Clients connecting to IPC$ on an AD DC will require signed >connections being used, so the integrity of these connections >was not affected. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8) > >========== >Workaround >========== > > >======= >Credits >======= > >Originally reported by Andreas Schneider of the Samba team. > >Patches provided by Ralph Boehme of the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17964">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review?
(
metze
)
jra
:
review+
Actions:
View
Attachments on
bug 15397
:
17925
|
17929
|
17930
|
17931
|
17934
|
17938
|
17947
|
17948
| 17964