================================================================== == Subject: NETLOGON Spoofing Vulnerability. == == CVE ID#: CVE-2016-2111 == == Versions: Samba 3.0.0 to 4.4.0 == == Summary: When Samba is configured as Domain Controller it allows remote == attackers to spoof the computer name of a secure channel's == endpoints, and obtain sensitive session information, by running a == crafted application and leveraging the ability to sniff network == traffic. == ================================================================= =========== Description =========== It's basically the same as CVE-2015-0005 for Windows: The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, aka "NETLOGON Spoofing Vulnerability". The vulnerability in Samba is worse as it doesn't require credentials of a computer account in the domain. This only applies to Samba running as classic primary domain controller, classic backup domain controller or active directory domain controller. The security patches introduce a new option called "raw NTLMv2 auth" ("yes" or "no") for the [global] section in smb.conf. Samba (the smbd process) will reject client using raw NTLMv2 without using NTLMSSP. Note that this option also applies to Samba running as standalone server and member server. You should also consider using "lanman auth = no" (which is already the default) and "ntlm auth = no". Have a look at the smb.conf manpage for further details, as they might impact compatibility with older clients. These also apply for all server roles. =================== New smb.conf option =================== raw NTLMv2 auth (G) This parameter determines whether or not smbd(8) will allow SMB1 clients without extended security (without SPNEGO) to use NTLMv2 authentication. If this option, lanman auth and ntlm auth are all disabled, then only clients with SPNEGO support will be permitted. That means NTLMv2 is only supported within NTLMSSP. Default: raw NTLMv2 auth = no ================ Behavior changes ================ The following constraints are applied to SMB1 connections: - "client lanman auth = yes" is now consistently required for authenticated connections using the SMB1 LANMAN2 dialect. - "client ntlmv2 auth = yes" and "client use spnego = yes" (both the default values), require extended security (SPNEGO) support from the server. That means NTLMv2 is only used within NTLMSSP. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors, but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11. ========== Workaround ========== None. ======= Credits ======= This vulnerability was discovered and researched by Alberto Solino from Core Security, but only reported it against Windows as CVE-2015-0005. Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org) provides the fixes in collaboration with the Samba Team.