[manjaro-security] [arch-security] [ASA-201604-13] samba: multiple issues

Sat Apr 23 03:04:24 CEST 2016

Arch Linux Security Advisory ASA-201604-13
==========================================

Severity: High
Date    : 2016-04-23
CVE-ID  : CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
          CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118
Package : samba
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package samba before version 4.4.2-1 is vulnerable to multiple
issues including but not limited to denial of service,
man-in-the-middle, information disclosure and possibly arbitrary code
execution.

Resolution
==========

Upgrade to 4.4.2-1.

# pacman -Syu "samba>=4.4.2-1"

The problems have been fixed upstream in version 4.4.2-1.

Workaround
==========

None.

Description
===========

- CVE-2015-5370 (arbitrary code execution)

Multiple flaws were found in Samba's DCE/RPC protocol implementation. A
remote, authenticated attacker could use these flaws to cause a denial
of service against the Samba server (high CPU load or a crash) or,
possibly, execute arbitrary code with the permissions of the user
running Samba (root). This flaw could also be used to downgrade a secure
DCE/RPC connection by a man-in-the-middle attacker taking control of an
Active Directory (AD) object and compromising the security of a Samba
Active Directory Domain Controller (DC).

- CVE-2016-2110 (man-in-the-middle)

Several flaws were found in Samba's implementation of NTLMSSP
authentication. An unauthenticated, man-in-the-middle attacker could use
this flaw to clear the encryption and integrity flags of a connection,
causing data to be transmitted in plain text. The attacker could also
force the client or server into sending data in plain text even if
encryption was explicitly requested for that connection.

- CVE-2016-2111 (information disclosure)

An authentication flaw was found in Samba. When Samba is configured to
act as a Domain Controller, it allows remote attackers to spoof the
computer name of a secure channel's endpoints. The attacker could
exploit this flaw to obtain sensitive session information by running a
crafted application and leveraging the ability to sniff network traffic.

- CVE-2016-2112 (man-in-the-middle)

It was found that Samba's LDAP implementation did not enforce integrity
protection for LDAP connections. A man-in-the-middle attacker could use
this flaw to downgrade LDAP connections to use no integrity protection,
allowing them to hijack such connections.

- CVE-2016-2113 (man-in-the-middle)

It was found that while having a support for TLS/SSL for some protocols
like ldap and http, certificates are not validated at all. When having a
"tls cafile" option, configured certificate is not used to validate the
server certificate.

- CVE-2016-2114 (man-in-the-middle)

It was found that Samba based active directory domain controller does
not enforce smb signing and opens possibility for man-in-the-middle attacks.
When Samba is configured as a Domain Controller, the default for the
"server signing" should be "mandatory". During the early development of
Samba 4 a new experimental file server located under source4/smb_server
was used. But before the final 4.0.0 release upstream switched back to
the file server under source3/smbd. But the logic for the correct
default of "server signing" was not ported.

- CVE-2016-2115 (man-in-the-middle)

It was found that Samba did not enable integrity protection for IPC
traffic by default. A man-in-the-middle attacker could use this flaw to
view and modify the data sent between a Samba server and a client.

- CVE-2016-2118 (man-in-the-middle)

It was reported that various samba versions are vulnerable to man in the
middle attack where attacker can intercept any DCERPC traffic between a
client and a server in order to impersonate the client and get the same
privileges as the authenticated user account. This is most problematic
against active directory domain controllers.

Impact
======

A remote attacker on the same network is able to perform a
man-in-the-middle and denial of service attack, disclose sensitive
information and, under certain circumstances, possibly execute arbitrary
code.

References
==========

https://access.redhat.com/security/cve/CVE-2015-5370
https://access.redhat.com/security/cve/CVE-2016-2110
https://access.redhat.com/security/cve/CVE-2016-2111
https://access.redhat.com/security/cve/CVE-2016-2112
https://access.redhat.com/security/cve/CVE-2016-2113
https://access.redhat.com/security/cve/CVE-2016-2114
https://access.redhat.com/security/cve/CVE-2016-2115
https://access.redhat.com/security/cve/CVE-2016-2118
https://www.samba.org/samba/security/CVE-2015-5370.html
https://www.samba.org/samba/security/CVE-2016-2110.html
https://www.samba.org/samba/security/CVE-2016-2111.html
https://www.samba.org/samba/security/CVE-2016-2112.html
https://www.samba.org/samba/security/CVE-2016-2113.html
https://www.samba.org/samba/security/CVE-2016-2114.html
https://www.samba.org/samba/security/CVE-2016-2115.html
https://www.samba.org/samba/security/CVE-2016-2118.html

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://lists.manjaro.org/pipermail/manjaro-security/attachments/20160423/595e8220/attachment.pgp>