Arch Linux Security Advisory ASA-201604-13
=========================================
Severity: High
Date    : 2016-04-23
CVE-ID  : CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112
          CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118
Package : samba
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package samba before version 4.4.2-1 is vulnerable to multiple
issues including but not limited to denial of service,
man-in-the-middle, information disclosure and possibly arbitrary code
execution.

Resolution
=========
Upgrade to 4.4.2-1.

# pacman -Syu "samba>=4.4.2-1"

The problems have been fixed upstream in version 4.4.2-1.

Workaround
=========
None.

Description
==========
- CVE-2015-5370 (arbitrary code execution)

Multiple flaws were found in Samba's DCE/RPC protocol implementation. A
remote, authenticated attacker could use these flaws to cause a denial
of service against the Samba server (high CPU load or a crash) or,
possibly, execute arbitrary code with the permissions of the user
running Samba (root). This flaw could also be used to downgrade a secure
DCE/RPC connection by a man-in-the-middle attacker taking control of an
Active Directory (AD) object and compromising the security of a Samba
Active Directory Domain Controller (DC).

- CVE-2016-2110 (man-in-the-middle)

Several flaws were found in Samba's implementation of NTLMSSP
authentication. An unauthenticated, man-in-the-middle attacker could use
this flaw to clear the encryption and integrity flags of a connection,
causing data to be transmitted in plain text. The attacker could also
force the client or server into sending data in plain text even if
encryption was explicitly requested for that connection.

- CVE-2016-2111 (information disclosure)

An authentication flaw was found in Samba. When Samba is configured to
act as a Domain Controller, it allows remote attackers to spoof the
computer name of a secure channel's endpoints. The attacker could
exploit this flaw to obtain sensitive session information by running a
crafted application and leveraging the ability to sniff network traffic.

- CVE-2016-2112 (man-in-the-middle)

It was found that Samba's LDAP implementation did not enforce integrity
protection for LDAP connections. A man-in-the-middle attacker could use
this flaw to downgrade LDAP connections to use no integrity protection,
allowing them to hijack such connections.

- CVE-2016-2113 (man-in-the-middle)

It was found that while having a support for TLS/SSL for some protocols
like ldap and http, certificates are not validated at all. When having a
"tls cafile" option, configured certificate is not used to validate the
server certificate.

- CVE-2016-2114 (man-in-the-middle)

It was found that Samba based active directory domain controller does
not enforce smb signing and opens possibility for man-in-the-middle attacks.
When Samba is configured as a Domain Controller, the default for the
"server signing" should be "mandatory". During the early development of
Samba 4 a new experimental file server located under source4/smb_server
was used. But before the final 4.0.0 release upstream switched back to
the file server under source3/smbd. But the logic for the correct
default of "server signing" was not ported.

- CVE-2016-2115 (man-in-the-middle)

It was found that Samba did not enable integrity protection for IPC
traffic by default. A man-in-the-middle attacker could use this flaw to
view and modify the data sent between a Samba server and a client.

- CVE-2016-2118 (man-in-the-middle)

It was reported that various samba versions are vulnerable to man in the
middle attack where attacker can intercept any DCERPC traffic between a
client and a server in order to impersonate the client and get the same
privileges as the authenticated user account. This is most problematic
against active directory domain controllers.

Impact
=====
A remote attacker on the same network is able to perform a
man-in-the-middle and denial of service attack, disclose sensitive
information and, under certain circumstances, possibly execute arbitrary
code.

References
=========
https://access.redhat.com/security/cve/CVE-2015-5370
https://access.redhat.com/security/cve/CVE-2016-2110
https://access.redhat.com/security/cve/CVE-2016-2111
https://access.redhat.com/security/cve/CVE-2016-2112
https://access.redhat.com/security/cve/CVE-2016-2113
https://access.redhat.com/security/cve/CVE-2016-2114
https://access.redhat.com/security/cve/CVE-2016-2115
https://access.redhat.com/security/cve/CVE-2016-2118
https://www.samba.org/samba/security/CVE-2015-5370.html
https://www.samba.org/samba/security/CVE-2016-2110.html
https://www.samba.org/samba/security/CVE-2016-2111.html
https://www.samba.org/samba/security/CVE-2016-2112.html
https://www.samba.org/samba/security/CVE-2016-2113.html
https://www.samba.org/samba/security/CVE-2016-2114.html
https://www.samba.org/samba/security/CVE-2016-2115.html
https://www.samba.org/samba/security/CVE-2016-2118.html

ArchLinux: 201604-13: samba: multiple issues

April 23, 2016

Summary

- CVE-2015-5370 (arbitrary code execution) Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).
- CVE-2016-2110 (man-in-the-middle)
Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.
- CVE-2016-2111 (information disclosure)
An authentication flaw was found in Samba. When Samba is configured to act as a Domain Controller, it allows remote attackers to spoof the computer name of a secure channel's endpoints. The attacker could exploit this flaw to obtain sensitive session information by running a crafted application and leveraging the ability to sniff network traffic.
- CVE-2016-2112 (man-in-the-middle)
It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.
- CVE-2016-2113 (man-in-the-middle)
It was found that while having a support for TLS/SSL for some protocols like ldap and http, certificates are not validated at all. When having a "tls cafile" option, configured certificate is not used to validate the server certificate.
- CVE-2016-2114 (man-in-the-middle)
It was found that Samba based active directory domain controller does not enforce smb signing and opens possibility for man-in-the-middle attacks. When Samba is configured as a Domain Controller, the default for the "server signing" should be "mandatory". During the early development of Samba 4 a new experimental file server located under source4/smb_server was used. But before the final 4.0.0 release upstream switched back to the file server under source3/smbd. But the logic for the correct default of "server signing" was not ported.
- CVE-2016-2115 (man-in-the-middle)
It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client.
- CVE-2016-2118 (man-in-the-middle)
It was reported that various samba versions are vulnerable to man in the middle attack where attacker can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers.

Resolution

Upgrade to 4.4.2-1. # pacman -Syu "samba>=4.4.2-1"
The problems have been fixed upstream in version 4.4.2-1.

References

https://access.redhat.com/security/cve/CVE-2015-5370 https://access.redhat.com/security/cve/CVE-2016-2110 https://access.redhat.com/security/cve/CVE-2016-2111 https://access.redhat.com/security/cve/CVE-2016-2112 https://access.redhat.com/security/cve/CVE-2016-2113 https://access.redhat.com/security/cve/CVE-2016-2114 https://access.redhat.com/security/cve/CVE-2016-2115 https://access.redhat.com/security/cve/CVE-2016-2118 https://www.samba.org/samba/security/CVE-2015-5370.html https://www.samba.org/samba/security/CVE-2016-2110.html https://www.samba.org/samba/security/CVE-2016-2111.html https://www.samba.org/samba/security/CVE-2016-2112.html https://www.samba.org/samba/security/CVE-2016-2113.html https://www.samba.org/samba/security/CVE-2016-2114.html https://www.samba.org/samba/security/CVE-2016-2115.html https://www.samba.org/samba/security/CVE-2016-2118.html

Severity
CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118
Package : samba
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

19.Laptop Bed Esm H320
2 - 3 min read
The release of Google Chrome 124 addresses four vulnerabilities, including a critical security flaw that can enable attackers to execute arbitrary
23.Tablet Connections Esm H320
2 - 3 min read
The release of Ubuntu 24.04 LTS , also known as Noble Numbat, brings various security enhancements and exciting new features . These improvements
4.Lock AbstractDigital Esm H320
2 - 3 min read
Tails 6.2 is a new Linux distribution release that expands its multilingual support and improves security features. The distribution is a
19.Laptop Bed Esm H320
2 - 3 min read
AlmaLinux 9.4 beta has been released and provides compelling reasons to consider it for desktop usage. While AlmaLinux is primarily known as a
32.Lock Code Circular Esm H320
2 - 3 min read
Linux admins and security practitioners face significant challenges in keeping their Linux systems secure amidst the constant threat of kernel bugs.
1.Penguin Landscape Esm H320
2 - 3 min read
A significant security threat, known as the Spectre v2 exploit, has been observed targeting Linux systems running on modern Intel processors. Let's
10.FingerPrint Locks Esm H320
2 - 3 min read
The recent release of I2P 2.5.0 , an anonymous P2P network that protects against online censorship, surveillance, and monitoring, has brought a slew
24.Key Code Esm H320
2 - 3 min read
The Akira ransomware group has extorted approximately $42 million from over 250 victims since January 1, 2024. The group initially focused on
Sign Up

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved