CVE-2016-2115.html:

==================================================================================
== Subject:     SMB client connections for IPC traffic are not integrity protected
==
== CVE ID#:     CVE-2016-2115
==
== Versions:    Samba 3.0.0 to 4.4.0
==
== Summary:     The protection of DCERPC communication over ncacn_np
==              (which is the default for most the file server related protocols)
==              is inherited from the underlying SMB connection.
==              Samba doesn't enforce SMB signing for this kind of
==              SMB connections by default, which makes man in the middle
==              attacks possible.
==
=================================================================================

===========
Description
===========

Samba has an option called "client signing", this is turned off by default
for performance reasons on file transfers.

This option is also used when using DCERPC with ncacn_np.

In order to get integrity protection for ipc related communication
by default the "client ipc signing" option is introduced.
The effective default for this new option is "mandatory".

In order to be compatible with more SMB server implementations,
the following additional options are introduced:
"client ipc min protocol" ("NT1" by default) and
"client ipc max protocol" (the highest support SMB2/3 dialect by default).
These options overwrite the "client min protocol" and "client max protocol"
options, because the default for "client max protocol" is still "NT1".
The reason for this is the fact that all SMB2/3 support SMB signing,
while there are still SMB1 implementations which don't offer SMB signing
by default (this includes Samba versions before 4.0.0).

Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
against active directory domain controllers despite of the
"client signing" and "client ipc signing" options.

===================
New smb.conf option
===================

  client ipc signing (G)

    This controls whether the client is allowed or required to use
    SMB signing for IPC$ connections as DCERPC transport. Possible
    values are auto, mandatory and disabled.

    When set to mandatory or default, SMB signing is required.

    When set to auto, SMB signing is offered, but not enforced and
    if set to disabled, SMB signing is not offered either.

    Connections from winbindd to Active Directory Domain Controllers
    always enforce signing.

    Default: client ipc signing = default

  client ipc max protocol (G)

    The value of the parameter (a string) is the highest protocol level that will
    be supported for IPC$ connections as DCERPC transport.

    Normally this option should not be set as the automatic negotiation phase
    in the SMB protocol takes care of choosing the appropriate protocol.

    The value default refers to the latest supported protocol, currently SMB3_11.

    See client max protocol for a full list of available protocols.
    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

    Default: client ipc max protocol = default

    Example: client ipc max protocol = SMB2_10

  client ipc min protocol (G)

    This setting controls the minimum protocol version that the will be
    attempted to use for IPC$ connections as DCERPC transport.

    Normally this option should not be set as the automatic negotiation phase
    in the SMB protocol takes care of choosing the appropriate protocol.

    The value default refers to the higher value of NT1 and the
    effective value of "client min protocol".

    See client max protocol for a full list of available protocols.
    The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.

    Default: client ipc min protocol = default

    Example: client ipc min protocol = SMB3_11

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.

==========
Workaround
==========

An explicit "client signing = mandatory" in the [global].

=======
Credits
=======

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.