samba: Multiple security issues (CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118)
CVE-2015-5370: Multiple errors in DCE-RPC code.
Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before
4.4.2 does not properly implement the DCE-RPC layer,
which allows remote attackers to perform protocol-downgrade attacks,
cause a denial of service (application crash or CPU consumption),
or possibly execute arbitrary code on a client system via unspecified
vectors.
References:
https://www.samba.org/samba/security/CVE-2015-5370.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-5370
CVE-2016-2110: Man in the middle attacks possible with NTLMSSP
The NTLMSSP authentication implementation in Samba 3.x and 4.x before
4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows
man-in-the-middle
attackers to perform protocol-downgrade attacks by modifying the
client-server data stream to remove application-layer flags or
encryption settings,
as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or
NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security.
References:
https://www.samba.org/samba/security/CVE-2016-2110.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2110
CVE-2016-2111: NETLOGON Spoofing Vulnerability.
The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before
4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured,
allows remote attackers to spoof the computer name of a secure channel’s
endpoint, and obtain sensitive session information, by running a
crafted
application and leveraging the ability to sniff network traffic, a
related issue to CVE-2015-0005.
References:
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2111
https://www.samba.org/samba/security/CVE-2016-2111.html
CVE-2016-2112: The LDAP client and server don’t enforce integrity protection
The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11,
4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize
the “client ldap sasl wrapping” setting, which allows man-in-the-middle
attackers to perform LDAP protocol-downgrade attacks by modifying the
client-server data stream.
References:
https://www.samba.org/samba/security/CVE-2016-2112.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2112
CVE-2016-2113: Missing TLS certificate validation allows man in the middle attacks
Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does
not verify X.509 certificates from TLS servers,
which allows man-in-the-middle attackers to spoof LDAPS and HTTPS
servers and obtain sensitive information via a crafted certificate.
References:
https://www.samba.org/samba/security/CVE-2016-2113.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2113
CVE-2016-2114: “server signing = mandatory” not enforced
The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x
before 4.3.8, and 4.4.x before 4.4.2 does not recognize
the “server signing = mandatory” setting, which allows man-in-the-middle
attackers to spoof SMB servers by modifying the client-server data
stream.
References:
https://www.samba.org/samba/security/CVE-2016-2114.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2114
CVE-2016-2115: SMB client connections for IPC traffic are not integrity protected
Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before
4.4.2 does not require SMB signing within a DCERPC
session over ncacn_np, which allows man-in-the-middle attackers to
spoof SMB clients by modifying the client-server data stream.
References:
https://www.samba.org/samba/security/CVE-2016-2115.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2115
CVE-2016-2118: SAMR and LSA man in the middle attacks possible
The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x
before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle
DCERPC connections,
which allows man-in-the-middle attackers to perform protocol-downgrade
attacks and impersonate users by modifying the client-server data
stream, aka “BADLOCK.”
References:
https://www.samba.org/samba/security/CVE-2016-2118.html
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2118
(from redmine: issue id 5494, created on 2016-04-25, closed on 2016-06-15)
- Relations:
- child #5495 (closed)
- child #5496 (closed)
- child #5497 (closed)
- child #5498 (closed)
- child #5499 (closed)