CVE-2016-2111.html:

==================================================================
== Subject:     NETLOGON Spoofing Vulnerability.
==
== CVE ID#:     CVE-2016-2111
==
== Versions:    Samba 3.0.0 to 4.4.0
==
== Summary:     When Samba is configured as Domain Controller it allows remote
==              attackers to spoof the computer name of a secure channel's
==              endpoints, and obtain sensitive session information, by running a
==              crafted application and leveraging the ability to sniff network
==              traffic.
==
=================================================================

===========
Description
===========

It's basically the same as CVE-2015-0005 for Windows:

  The NETLOGON service in Microsoft Windows Server 2003 SP2,
  Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
  and R2, when a Domain Controller is configured, allows remote
  attackers to spoof the computer name of a secure channel's
  endpoint, and obtain sensitive session information, by running a
  crafted application and leveraging the ability to sniff network
  traffic, aka "NETLOGON Spoofing Vulnerability".

The vulnerability in Samba is worse as it doesn't require
credentials of a computer account in the domain.

This only applies to Samba running as classic primary domain controller,
classic backup domain controller or active directory domain controller.

The security patches introduce a new option called "raw NTLMv2 auth"
("yes" or "no") for the [global] section in smb.conf.
Samba (the smbd process) will reject client using raw NTLMv2
without using NTLMSSP.

Note that this option also applies to Samba running as
standalone server and member server.

You should also consider using "lanman auth = no" (which is already the default)
and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
as they might impact compatibility with older clients. These also
apply for all server roles.

===================
New smb.conf option
===================

  raw NTLMv2 auth (G)

    This parameter determines whether or not smbd(8) will allow SMB1 clients
    without extended security (without SPNEGO) to use NTLMv2 authentication.

    If this option, lanman auth and ntlm auth are all disabled, then only
    clients with SPNEGO support will be permitted. That means NTLMv2 is only
    supported within NTLMSSP.

    Default: raw NTLMv2 auth = no

================
Behavior changes
================

  The following constraints are applied to SMB1 connections:

  - "client lanman auth = yes" is now consistently
    required for authenticated connections using the
    SMB1 LANMAN2 dialect.
  - "client ntlmv2 auth = yes" and "client use spnego = yes"
    (both the default values), require extended security (SPNEGO)
    support from the server. That means NTLMv2 is only used within
    NTLMSSP.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.

==========
Workaround
==========

None.

=======
Credits
=======

This vulnerability was discovered and researched by Alberto Solino from Core
Security, but only reported it against Windows as CVE-2015-0005.

Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team
(https://www.samba.org) provides the fixes in collaboration with the Samba Team.