CVE-2015-5296.html:

===========================================================
== Subject:     Samba client requesting encryption vulnerable
==		to downgrade attack.
==
== CVE ID#:     CVE-2015-5296
==
== Versions:    Samba versions 3.2.0 to 4.3.2
==
== Summary:     Requesting encryption should also request
==		signing when setting up the connection to
==		protect against man-in-the-middle attacks.
==
===========================================================

===========
Description
===========

Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
signing is negotiated when creating an encrypted client connection to
a server.

Without this a man-in-the-middle attack could downgrade the connection
and connect using the supplied credentials as an unsigned, unencrypted
connection.

==================
Patch Availability
==================

Patches addressing this defect have been posted to

 https://www.samba.org/samba/history/security.html

Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as
security releases to correct the defect.
Samba vendors and administrators running affected versions are
advised to upgrade or apply the patch as soon as possible.

===========
Workarounds
===========

When using the smbclient command, always add the argument
"--signing=required" when using the "-e" or "--encrypt" argument.

Alternatively, set the variable "client signing = mandatory" in the
[global] section of the smb.conf file on any client using encrypted
connections.

To protect a Samba server exporting encrypted shares against a
downgrade attack set the variable "smb encrypt = mandatory" in the
smb.conf definition of the encrypted shares.

=======
Credits
=======

This problem was found by Stefan Metzmacher <metze@samba.org> of
SerNet (www.sernet.com) and the Samba Team, who also provided the
fix.