=========================================================== == Subject: Samba client requesting encryption vulnerable == to downgrade attack. == == CVE ID#: CVE-2015-5296 == == Versions: Samba versions 3.2.0 to 4.3.2 == == Summary: Requesting encryption should also request == signing when setting up the connection to == protect against man-in-the-middle attacks. == =========================================================== =========== Description =========== Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that signing is negotiated when creating an encrypted client connection to a server. Without this a man-in-the-middle attack could downgrade the connection and connect using the supplied credentials as an unsigned, unencrypted connection. ================== Patch Availability ================== Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. =========== Workarounds =========== When using the smbclient command, always add the argument "--signing=required" when using the "-e" or "--encrypt" argument. Alternatively, set the variable "client signing = mandatory" in the [global] section of the smb.conf file on any client using encrypted connections. To protect a Samba server exporting encrypted shares against a downgrade attack set the variable "smb encrypt = mandatory" in the smb.conf definition of the encrypted shares. ======= Credits ======= This problem was found by Stefan Metzmacher <metze@samba.org> of SerNet (www.sernet.com) and the Samba Team, who also provided the fix.