== Subject:     Weak authentication protocol allowed.
== CVE ID#:     CVE-2018-1139
== Versions:    Samba 4.7.0 - 4.8.3 (inclusive)
== Summary:     Samba 4.7 and 4.8 are affected by a vulnerability
==              that allows authentication via NTLMv1 even if disabled.


Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which
allows authentication using NTLMv1 over an SMB1 transport (either
directory or via NETLOGON SamLogon calls from a member server), even
when NTLMv1 is explicitly disabled on the server.

Normally, the use of NTLMv1 is disabled by default in favor of NTLMv2.
This has been the default since Samba 4.5. A code restructuring in the
NTLM authentication implementation of Samba in 4.7.0 caused this
regression to occur.

Additionally, it is the responsbility of the client to send the
strongest authentication hash possible.  The server-side restrictions
primarily aid in ensuring consistent client policy.

Because by default clients using SMB2 or SMB1 when SPNEGO or NTLMSSP
is in use will chose a more recent authentication dialect (at least
so-called NTLM2 session security, and typically NTLMv2), this
oversight impacts only extreme mis-configurations or legacy clients
on early dialects of SMB1.

Patch Availability

Patches addressing this issue have been posted to:

Samba versions 4.7.9 and 4.8.4 have been released with fixes for
this issue.




This vulnerability was found by Vivek Das <> from Red
Hat and was fixed by Stefan Metzmacher of SerNet and the Samba team
and Andrew Bartlett of Catalyst and the Samba team.