samba: Multiple security issues (CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118)

CVE-2015-5370: Multiple errors in DCE-RPC code.

Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer,
which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption),
or possibly execute arbitrary code on a client system via unspecified vectors.

References:

https://www.samba.org/samba/security/CVE-2015-5370.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5370

CVE-2016-2110: Man in the middle attacks possible with NTLMSSP

The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle
attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings,
as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security.

References:

https://www.samba.org/samba/security/CVE-2016-2110.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2110

CVE-2016-2111: NETLOGON Spoofing Vulnerability.

The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured,
allows remote attackers to spoof the computer name of a secure channel’s endpoint, and obtain sensitive session information, by running a crafted
application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005.

References:

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2111
https://www.samba.org/samba/security/CVE-2016-2111.html

CVE-2016-2112: The LDAP client and server don’t enforce integrity protection

The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize
the “client ldap sasl wrapping” setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream.

References:

https://www.samba.org/samba/security/CVE-2016-2112.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2112

CVE-2016-2113: Missing TLS certificate validation allows man in the middle attacks

Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers,
which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate.

References:

https://www.samba.org/samba/security/CVE-2016-2113.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2113

CVE-2016-2114: “server signing = mandatory” not enforced

The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize
the “server signing = mandatory” setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream.

References:

https://www.samba.org/samba/security/CVE-2016-2114.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2114

CVE-2016-2115: SMB client connections for IPC traffic are not integrity protected

Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC
session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream.

References:

https://www.samba.org/samba/security/CVE-2016-2115.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2115

CVE-2016-2118: SAMR and LSA man in the middle attacks possible

The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections,
which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka “BADLOCK.”

References:

https://www.samba.org/samba/security/CVE-2016-2118.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118

(from redmine: issue id 5494, created on 2016-04-25, closed on 2016-06-15)

Relations:
- child #5495 (closed)
- child #5496 (closed)
- child #5497 (closed)
- child #5498 (closed)
- child #5499 (closed)

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information