==================================================================== CERT-Renater Note d'Information No. 2017/VULN263 _____________________________________________________________________ DATE : 20/09/2017 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.6.8, 4.5.14, 4.4.16. ===================================================================== https://www.samba.org/samba/security/CVE-2017-12150.html https://www.samba.org/samba/security/CVE-2017-12151.html https://www.samba.org/samba/security/CVE-2017-12163.html ____________________________________________________________________ CVE-2017-12150.html: =============================================================================== == Subject: SMB1/2/3 connections may not require signing where they should == == CVE ID#: CVE-2017-12150 == == Versions: Samba 3.0.25 to 4.6.7 == == Summary: A man in the middle attack may hijack client connections. == =============================================================================== =========== Description =========== There are several code paths where the code doesn't enforce SMB signing: * The fixes for CVE-2015-5296 didn't apply the implied signing protection when enforcing encryption for commands like 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e'. * The python binding exported as 'samba.samba3.libsmb_samba_internal' doesn't make use of the "client signing" smb.conf option. * libgpo as well as 'net ads gpo' doesn't require SMB signing when fetching group policies. * Commandline tools like 'smbclient', 'smbcacls' and 'smbcquotas' allow a fallback to an anonymous connection when using the '--use-ccache' option and this happens even if SMB signing is required. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== The missing implied signing for 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e' can be enforced by explicitly using '--signing=required' on the commandline or "client signing = required" in smb.conf. ======= Credits ======= This vulnerability was discovered and researched by Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org), who also provides the fixes. ____________________________________________________________________ CVE-2017-12151.html: =============================================================================== == Subject: SMB3 connections don't keep encryption across DFS redirects == == CVE ID#: CVE-2017-12151 == == Versions: Samba 4.1.0 to 4.6.7 == == Summary: A man in the middle attack can read and may alter confidential == documents transferred via a client connection, which are reached == via DFS redirect when the original connection used SMB3. == ================================================================================ =========== Description =========== Client command line tools like 'smbclient' as well as applications using 'libsmbclient' library have support for requiring encryption. This is activated by the '-e|--encrypt' command line option or the smbc_setOptionSmbEncryptionLevel() library call. By default, only SMB1 is used in order to connect to a server, as the effective default for "client max protocol" smb.conf option as well for the "-m|--max-protocol=" command line option is "NT1". If the original client connection used encryption, following DFS redirects to another server should also enforce encryption. This is important as these redirects are transparent to the application. In the case where "SMB3", "SMB3_00", "SMB3_02", "SMB3_10" or "SMB3_11" was used as max protocol and a connection actually made use of the SMB3 encryption, any redirected connection would lose the requirement for encryption and also the requirement for signing. That means, a man in the middle could read and/or alter the content of the connection. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Keep the default of "client max protocol = NT1". ======= Credits ======= This vulnerability was discovered and researched by Stefan Metzmacher of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org), who also provides the fixes. ____________________________________________________________________ CVE-2017-12163.html: ==================================================================== == Subject: Server memory information leak over SMB1 == == CVE ID#: CVE-2017-12163 == == Versions: All versions of Samba. == == Summary: Client with write access to a share can cause == server memory contents to be written into a file == or printer. == ==================================================================== =========== Description =========== All versions of Samba are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be written into the file (or printer) instead of client supplied data. The client cannot control the area of the server memory that is written to the file (or printer). ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== As this is an SMB1-only vulnerability, it can be avoided by setting the server to only use SMB2 via adding: server min protocol = SMB2_02 to the [global] section of your smb.conf and restarting smbd. ======= Credits ======= This problem was reported by Yihan Lian and Zhibin Hu, security researchers with Qihoo 360 GearTeam. Stefan Metzmacher of SerNet and the Samba Team and Jeremy Allison of Google and the Samba Team provided the fix. ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================