15397 – (CVE-2023-3347) [SECURITY] CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set.

Bug 15397 (CVE-2023-3347) - [SECURITY] CVE-2023-3347: Samba doesn't require SMB2+ signing if `server signing = mandatory` is set.

Summary: [SECURITY] CVE-2023-3347: Samba doesn't require SMB2+ signing if `server sign...

Status:	RESOLVED FIXED

Alias:	CVE-2023-3347

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	File services (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Ralph Böhme
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15396
	Show dependency tree / graph

Reported:	2023-06-16 15:41 UTC by Andreas Schneider
Modified:	2023-07-28 12:17 UTC (History)
CC List:	6 users (show)

See Also:

Attachments
proposed patch (1.18 KB, patch) 2023-06-16 15:44 UTC, Andreas Schneider	no flags	Details
Possible WIP patch for master with test (10.06 KB, patch) 2023-06-20 16:21 UTC, Ralph Böhme	no flags	Details
Possible WIP patch for master with test (10.56 KB, patch) 2023-06-20 16:55 UTC, Ralph Böhme	no flags	Details
Possible WIP patch for master with test (10.56 KB, patch) 2023-06-20 17:01 UTC, Ralph Böhme	no flags	Details
Patch for master (15.09 KB, patch) 2023-06-21 14:35 UTC, Ralph Böhme	metze: review+ jra: review+ slow: ci-passed+	Details
Advisory v1 (2.22 KB, text/plain) 2023-06-23 06:16 UTC, Ralph Böhme	metze: review+	Details
Patch for 4.18 (15.10 KB, patch) 2023-06-23 14:23 UTC, Ralph Böhme	metze: review+ jra: review+ slow: ci-passed+	Details
Patch for 4.17 (15.10 KB, patch) 2023-06-23 14:23 UTC, Ralph Böhme	metze: review+ jra: review+ slow: ci-passed+	Details
Advisory v2 (2.38 KB, text/plain) 2023-06-29 08:41 UTC, Ralph Böhme	slow: review? (metze) jra: review+	Details
Show Obsolete (5) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Schneider 2023-06-16 15:41:32 UTC

Comment 1 Andreas Schneider 2023-06-16 15:43:36 UTC

[global]
	workgroup = SAMBA
	security = user

	passdb backend = tdbsam

	printing = cups
	printcap name = cups
	load printers = yes
	cups options = raw

        server signing = mandatory
	server max protocol = SMB3
	server min protocol = SMB3



# nmap --script smb2-security-mode.nse -p445 127.0.0.1
Starting Nmap 7.91 ( https://nmap.org ) at 2023-06-13 03:41 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000046s latency).

PORT    STATE SERVICE
445/tcp open  microsoft-ds

Host script results:
| smb2-security-mode: 
|   3.11: 
|_    Message signing enabled but not required

Comment 2 Andreas Schneider 2023-06-16 15:44:21 UTC

Created attachment 17925 [details]
proposed patch

Comment 3 Jeremy Allison 2023-06-16 15:49:36 UTC

Comment on attachment 17925 [details]
proposed patch

Oh, I'm so sorry, this one was my fault :-(.

Comment 4 Andreas Schneider 2023-06-16 20:06:46 UTC

We should have a test for this. As smbd is not my area of expertise it would be nice if someone could add one. The ktest env has `server signing = required` set.

Comment 5 Andreas Schneider 2023-06-20 16:16:28 UTC

Ralph is working on a test. Thanks! :-)

Comment 6 Ralph Böhme 2023-06-20 16:21:24 UTC

Created attachment 17929 [details]
Possible WIP patch for master with test

Comment 7 Ralph Böhme 2023-06-20 16:23:37 UTC

By chance, can anyone write a CVE advisory text?

Comment 8 Ralph Böhme 2023-06-20 16:55:55 UTC

Created attachment 17930 [details]
Possible WIP patch for master with test

Previous version forgot to pass the lp_ctx arg to smb1_srv_init_signing() in the last commit.

Comment 9 Ralph Böhme 2023-06-20 17:01:32 UTC

Created attachment 17931 [details]
Possible WIP patch for master with test

Wrong order of args this time...

Comment 10 Ralph Böhme 2023-06-21 14:35:33 UTC

Created attachment 17934 [details]
Patch for master

Final patch for master, at least until review proves me wrong. :) Please review. Thanks!

Comment 11 Jeremy Allison 2023-06-22 00:20:32 UTC

Comment on attachment 17934 [details]
Patch for master

LGTM. But as I was the person who introduced the original bug, please take my RB+ with a *big* grain of salt :-(. I'll be much happier when Metze has looked it over too.

Comment 12 Ralph Böhme 2023-06-23 06:13:10 UTC

I rate this as

CVSS 3.1: AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N (6.8)

Comment 13 Ralph Böhme 2023-06-23 06:16:13 UTC

Created attachment 17938 [details]
Advisory v1

First draft for a CVE advisory. This is probably not ideal but it may serve as a starting point we can improve upon.

Comment 14 Ralph Böhme 2023-06-23 14:23:20 UTC

Created attachment 17947 [details]
Patch for 4.18

Comment 15 Ralph Böhme 2023-06-23 14:23:49 UTC

Created attachment 17948 [details]
Patch for 4.17

Comment 16 Jeremy Allison 2023-06-27 18:16:44 UTC

Comment on attachment 17938 [details]
Advisory v1

Just to make it very clear, I think the "Summary:" text should also be repeated in the "Description:" section also.

I know it's duplication, but it means both sections describe the problem fully.

Comment 17 Jeremy Allison 2023-06-27 18:16:48 UTC

Comment on attachment 17938 [details]
Advisory v1

Just to make it very clear, I think the "Summary:" text should also be repeated in the "Description:" section also.

I know it's duplication, but it means both sections describe the problem fully.

Comment 18 Andreas Schneider 2023-06-29 08:31:42 UTC

"SMB2 signing packet signing is a mechanism ..."


One signing too much?

Comment 19 Ralph Böhme 2023-06-29 08:41:00 UTC

Created attachment 17964 [details]
Advisory v2

Copied summary to description. In the description removed a erroneous duplicate "signing" at the beginning of the first (now second) paragraph.

Comment 20 Jeremy Allison 2023-06-29 16:01:06 UTC

Comment on attachment 17964 [details]
Advisory v2

Much better, thanks !

Comment 21 Ralph Böhme 2023-07-07 14:27:24 UTC

Proposed release date for this CVE is the 19th of July.

Comment 22 Andreas Schneider 2023-07-18 19:03:38 UTC

I can also reproduce the issue with Samba 4.10. Will investigate tomorrow ...

Comment 23 rfrohl 2023-07-19 08:29:39 UTC

As the embargo is about to lift today, could someone comment on the above?

I thought smb2 signing was added with 4.17.0 and therefor explained this part of the advisory:

> Versions:    All versions starting with 4.17.0

Comment 24 Ralph Böhme 2023-07-19 08:40:40 UTC

(In reply to rfrohl from comment #23)
SMB2 signing is available since – I don't know, very long – it was just broken by a regression in 4.17.

Comment 25 rfrohl 2023-07-19 08:53:33 UTC

(In reply to Ralph Böhme from comment #24)
So in theory it did not work before 4.17 because of the regression and earlier versions would not need the fix for this issue. As it would need the regression fix on top to make the feature work ?

Meaning the affected version from the advisory are likely correct ?

Comment 26 Ralph Böhme 2023-07-19 10:42:27 UTC

(In reply to rfrohl from comment #25)
Sorry, but I can't figure out what you're trying to say. Let me try to rephrase it: it worked in version 4.16 and earlier, it is broken in 4.17 and 4.18.

Comment 27 rfrohl 2023-07-19 10:49:38 UTC

(In reply to Ralph Böhme from comment #26)
sorry, maybe made it a bit to complicated: I was trying to ask if the fix might be also needed for 4.16 and earlier.

Comment 28 Ralph Böhme 2023-07-19 10:55:36 UTC

(In reply to rfrohl from comment #27)
No, it's not needed.

Comment 29 rfrohl 2023-07-19 10:58:54 UTC

(In reply to Ralph Böhme from comment #28)
thank you for the confirmation and sorry about all the back an forth

Comment 30 Ralph Böhme 2023-07-19 11:34:12 UTC

(In reply to Andreas Schneider from comment #22)
> I can also reproduce the issue with Samba 4.10. Will investigate tomorrow ...

works for me. When I set "server signing = mandatory" the server sets the signing required flag in the SMB2-NEGPROT response and subsequently rejects unsigned packets with ACCESS_DENIED.

Comment 31 Jule Anger 2023-07-19 14:25:09 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 32 Samba QA Contact 2023-07-19 14:31:12 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.10):

e67b7e5f88ea29670009eef6a69e3f60ebed3517
e96d5002fc10b3e74c7ed90f8cf7cf234a06a3d1
95cec0dfa2410e667551a1faaef08c8cd2a80074
a22fcb689187a7b1fa20d008026c91283e222390
6c1128b11842d60e3ebd9ee1b5cefcfd99629ba5

Comment 33 Samba QA Contact 2023-07-19 14:31:50 UTC

This bug was referenced in samba v4-18-stable (Release samba-4.18.5):

69cbb0414a3e44c7c3c2c798ab5a39e18a1633ce
5f39da852762ee0106d6a51e2ab533876533ec39
6be7bd40f0afb0fc5dd53f89120b867a72dd484f
24157fb3be56ba88eb581e5c559a11887a486e82
0815d4019378dffc8e8e993b6a42a18425937a50

Comment 34 Samba QA Contact 2023-07-19 15:00:18 UTC

This bug was referenced in samba v4-17-test:

e67b7e5f88ea29670009eef6a69e3f60ebed3517
e96d5002fc10b3e74c7ed90f8cf7cf234a06a3d1
95cec0dfa2410e667551a1faaef08c8cd2a80074
a22fcb689187a7b1fa20d008026c91283e222390
6c1128b11842d60e3ebd9ee1b5cefcfd99629ba5

Comment 35 Samba QA Contact 2023-07-19 15:08:14 UTC

This bug was referenced in samba v4-18-test:

69cbb0414a3e44c7c3c2c798ab5a39e18a1633ce
5f39da852762ee0106d6a51e2ab533876533ec39
6be7bd40f0afb0fc5dd53f89120b867a72dd484f
24157fb3be56ba88eb581e5c559a11887a486e82
0815d4019378dffc8e8e993b6a42a18425937a50

Comment 36 Samba QA Contact 2023-07-21 13:04:53 UTC

This bug was referenced in samba master:

a9a2b182df738fd283f820e162d189d20010ad63
1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a
59131d6c345864dcf1ed3331c52ce35ddc5db2dc
5a222ac37183ba5dd717d81c7e57f78e59695a67
9bab902fc50f88869b253c4089d83b3e33a1075a

Comment 37 Jule Anger 2023-07-21 15:01:05 UTC

Pushed to all branches.
Closing out bug report.
Thanks!

Comment 38 Samba QA Contact 2023-07-28 12:14:20 UTC

This bug was referenced in samba v4-19-test:

a9a2b182df738fd283f820e162d189d20010ad63
1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a
59131d6c345864dcf1ed3331c52ce35ddc5db2dc
5a222ac37183ba5dd717d81c7e57f78e59695a67
9bab902fc50f88869b253c4089d83b3e33a1075a

Comment 39 Samba QA Contact 2023-07-28 12:17:18 UTC

This bug was referenced in samba v4-19-stable (Release samba-4.19.0rc1):

a9a2b182df738fd283f820e162d189d20010ad63
1662eeeb7a6fc1b955fc0f7f52c7546ba3ac442a
59131d6c345864dcf1ed3331c52ce35ddc5db2dc
5a222ac37183ba5dd717d81c7e57f78e59695a67
9bab902fc50f88869b253c4089d83b3e33a1075a