12444 – (CVE-2016-2124) [SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos in Samba client

Bug 12444 (CVE-2016-2124) - [SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos in Samba client

Summary: [SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we r...

Status:	RESOLVED FIXED

Alias:	CVE-2016-2124

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	libsmbclient (show other bugs)
Version:	4.5.1
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Jule Anger
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	14834
	Show dependency tree / graph

Reported:	2016-11-24 07:49 UTC by Stefan Metzmacher
Modified:	2021-11-09 22:29 UTC (History)
CC List:	14 users (show)

See Also:	12902

Attachments
Patches for master (3.94 KB, patch) 2021-10-29 10:25 UTC, Stefan Metzmacher	asn: review+	Details
Patches for v4-15-test (3.94 KB, patch) 2021-10-29 10:26 UTC, Stefan Metzmacher	asn: review+	Details
Patches for v4-14-test (3.94 KB, patch) 2021-10-29 10:27 UTC, Stefan Metzmacher	asn: review+	Details
Patches for v4-13-test (3.88 KB, patch) 2021-10-29 10:27 UTC, Stefan Metzmacher	asn: review+	Details
CVE-2016-2124-description-metze02.txt (3.31 KB, text/plain) 2021-10-29 13:19 UTC, Stefan Metzmacher	asn: review+ jra: review-	Details
CVE-2016-2124-description-metze03.txt (3.35 KB, text/plain) 2021-10-30 00:28 UTC, Stefan Metzmacher	jra: review+	Details
backport for 4.7 through to 4.11 (3.54 KB, patch) 2021-11-03 16:44 UTC, Noel Power	asn: review+	Details
backport for 4.6 (3.56 KB, patch) 2021-11-03 16:45 UTC, Noel Power	asn: review+	Details
backport for 4.4 (4.56 KB, patch) 2021-11-03 16:46 UTC, Noel Power	asn: review-	Details
backport for 3.6 (2.89 KB, patch) 2021-11-03 16:47 UTC, Noel Power	no flags	Details
backport for 4.12 (3.65 KB, patch) 2021-11-08 23:51 UTC, Jo Sutton	jsutton: review? (abartlet) jsutton: ci-passed+	Details
backport for 4.10 (3.65 KB, patch) 2021-11-09 04:06 UTC, Jo Sutton	jsutton: review? (abartlet)	Details
backport for 3.6 (4.54 KB, patch) 2021-11-09 16:22 UTC, Noel Power	no flags	Details
Show Obsolete (3) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Stefan Metzmacher 2016-11-24 07:49:19 UTC

We should not allow a downgrade to non-kerberos authentication if we require
kerberos.

Comment 17 Stefan Metzmacher 2021-10-29 10:25:54 UTC

Created attachment 16890 [details]
Patches for master

Comment 18 Stefan Metzmacher 2021-10-29 10:26:31 UTC

Created attachment 16891 [details]
Patches for v4-15-test

Comment 19 Stefan Metzmacher 2021-10-29 10:27:07 UTC

Created attachment 16892 [details]
Patches for v4-14-test

Comment 20 Stefan Metzmacher 2021-10-29 10:27:43 UTC

Created attachment 16893 [details]
Patches for v4-13-test

Comment 21 Stefan Metzmacher 2021-10-29 13:19:08 UTC

Created attachment 16898 [details]
CVE-2016-2124-description-metze02.txt

Comment 23 Stefan Metzmacher 2021-10-29 14:15:59 UTC

This is ready for the November 9th release.

Comment 24 Stefan Metzmacher 2021-10-29 18:51:25 UTC

G'Day Vendors,

This bug will also be part of the security release for Nov 9 2021.

But the patches on this bug are on their own independent from
the large combined patch on bug #14834.

This bug is only relevant for all active directory related setups
as domain controller, as domain member, as well as client utilities.

Comment 25 Jeremy Allison 2021-10-29 21:20:08 UTC

Comment on attachment 16898 [details]
CVE-2016-2124-description-metze02.txt

Couple of changs:

1). "The attacker is able to get the plaintext password send over the
wire even if Kerberos authentication was required."

should read:

"The attacker is able to get the plaintext password sent over the
wire even if Kerberos authentication was required."

(notice "send" -> "sent").

2). In the "Workaround" section, change:

"Should have the following options at their default values:"

to:

"Ensure the following [global] smb.conf parameters are set
to their default values as shown below:"

Otherwise, LGTM ! Thanks !

Comment 26 Stefan Metzmacher 2021-10-30 00:28:31 UTC

Created attachment 16902 [details]
CVE-2016-2124-description-metze03.txt

Comment 27 Jeremy Allison 2021-10-30 03:45:55 UTC

Comment on attachment 16902 [details]
CVE-2016-2124-description-metze03.txt

LGTM. Thanks Metze !

Comment 28 Noel Power 2021-11-03 16:44:08 UTC

Created attachment 16935 [details]
backport for 4.7 through to 4.11

Comment 29 Noel Power 2021-11-03 16:45:21 UTC

Created attachment 16937 [details]
backport for 4.6

Comment 30 Noel Power 2021-11-03 16:46:45 UTC

Created attachment 16938 [details]
backport for 4.4

Comment 31 Noel Power 2021-11-03 16:47:33 UTC

Created attachment 16939 [details]
backport for 3.6

Comment 32 Noel Power 2021-11-03 16:49:24 UTC

be great if someone could cast a knowing eye particularly over the 3.6 and 4.4 patches

Comment 33 Andreas Schneider 2021-11-03 17:11:17 UTC

Noel, if you scroll up, you can see my last backport to Samba 3.6. After this Metze told me that this will probably need more work. Not sure it can be fixed for 3.6.

Also fee23c33ae279e96d0a70e2f313d20d7fae106ff is fixing one part of the problem. Make sure you backport this to 4.4 too.

Comment 34 Noel Power 2021-11-04 09:36:10 UTC

(In reply to Andreas Schneider from comment #33)
>Noel, if you scroll up, you can see my last backport to Samba 3.6. After this Metze told me that this will probably need more work. Not sure it can be fixed for 3.6.

oh, I didn't realise that there were earlier patches, I've obsoleted the 3.6 & 4.4 ones.

If we were to patch 3.6 the final 2 patches from Metz in that patch in the attachment you point to still look relevant still right ? (and better than nothing)
<Also fee23c33ae279e96d0a70e2f313d20d7fae106ff is fixing one part of the problem. Make sure you backport this to 4.4 too.
Andreas/Metz I see there is a old patch also for 4.4, were there issue still with that

Comment 35 Noel Power 2021-11-04 15:31:52 UTC

Comment on attachment 16937 [details]
backport for 4.6

Andreas could you have a look at this

Comment 38 Stefan Metzmacher 2021-11-08 21:58:14 UTC

The release will happen around 18:00 UTC November 9th.

Comment 40 Jo Sutton 2021-11-08 23:51:17 UTC

Created attachment 16972 [details]
backport for 4.12

This patch applies on top of the v4.12 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.

Comment 41 Jones Syue 2021-11-09 03:16:33 UTC

A question:
About 'client min protocol = SMB2_02',
is samba still able to join windows 2003 ad server with this workaround setup in smb.conf?
because windows 2003 ad server does not yet support SMB2.
 

> ==========
> Workaround
> ==========
> 
> Ensure the following [global] smb.conf parameters are set
> to their default values as shown below:
> 
>   client lanman auth = no
>   client NTLMv2 auth = yes
>   client plaintext auth = no
>   client min protocol = SMB2_02
>

Comment 42 Jo Sutton 2021-11-09 04:06:48 UTC

Created attachment 16976 [details]
backport for 4.10

This patch applies on top of the v4.10 patch found at https://bugzilla.samba.org/show_bug.cgi?id=14725.

Comment 43 Noel Power 2021-11-09 16:22:50 UTC

Created attachment 16981 [details]
backport for 3.6

Comment 44 Samba QA Contact 2021-11-09 18:11:27 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.2):

ecfa1fb325460e99885d320ff4501cf685585743
670abaacb5217720bf60f5cc78c9ab0f6ee21512

Comment 45 Samba QA Contact 2021-11-09 18:14:24 UTC

This bug was referenced in samba v4-14-stable (Release samba-4.14.10):

d1cf8259c52bdef83ed8db19ea0698341ae94468
279f057f23ddff2a3d43eacccb041d55a3208544

Comment 46 Samba QA Contact 2021-11-09 18:15:04 UTC

This bug was referenced in samba v4-13-stable (Release samba-4.13.14):

4290223ed40183e5f01c25da00df438b9ccf302a
721e40dd379a85e153c31b294d1054eeb3718aa0

Comment 47 Samba QA Contact 2021-11-09 18:43:59 UTC

This bug was referenced in samba v4-14-test:

d1cf8259c52bdef83ed8db19ea0698341ae94468
279f057f23ddff2a3d43eacccb041d55a3208544

Comment 48 Andrew Bartlett 2021-11-09 19:01:11 UTC

The releases are made, removing [EMBARGOED] tag.  The vendor-only restriction will be removed soon once the dust settles.

Comment 49 Samba QA Contact 2021-11-09 19:01:35 UTC

This bug was referenced in samba v4-13-test:

4290223ed40183e5f01c25da00df438b9ccf302a
721e40dd379a85e153c31b294d1054eeb3718aa0

Comment 50 Samba QA Contact 2021-11-09 19:18:36 UTC

This bug was referenced in samba v4-15-test:

ecfa1fb325460e99885d320ff4501cf685585743
670abaacb5217720bf60f5cc78c9ab0f6ee21512

Comment 51 Samba QA Contact 2021-11-09 20:38:05 UTC

This bug was referenced in samba master:

93dad333a22a3b46217072333491b87621db01f5
c17f4256e53229bd100f7bdcbc77620a64446326

Comment 52 Andrew Bartlett 2021-11-09 20:54:55 UTC

The patches addressing this issue have been pushed to master and security releases made.

Comment 53 Andrew Bartlett 2021-11-09 21:12:33 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.  

These are the "other issues" part of the big release we just made, the remainder are private for a little longer.

If you wish to continue to be informed about any changes here please CC individually.