Arch Linux Security Advisory ASA-201604-13 ========================================== Severity: High Date : 2016-04-23 CVE-ID : CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 Package : samba Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package samba before version 4.4.2-1 is vulnerable to multiple issues including but not limited to denial of service, man-in-the-middle, information disclosure and possibly arbitrary code execution. Resolution ========== Upgrade to 4.4.2-1. # pacman -Syu "samba>=4.4.2-1" The problems have been fixed upstream in version 4.4.2-1. Workaround ========== None. Description =========== - CVE-2015-5370 (arbitrary code execution) Multiple flaws were found in Samba's DCE/RPC protocol implementation. A remote, authenticated attacker could use these flaws to cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC). - CVE-2016-2110 (man-in-the-middle) Several flaws were found in Samba's implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection. - CVE-2016-2111 (information disclosure) An authentication flaw was found in Samba. When Samba is configured to act as a Domain Controller, it allows remote attackers to spoof the computer name of a secure channel's endpoints. The attacker could exploit this flaw to obtain sensitive session information by running a crafted application and leveraging the ability to sniff network traffic. - CVE-2016-2112 (man-in-the-middle) It was found that Samba's LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections. - CVE-2016-2113 (man-in-the-middle) It was found that while having a support for TLS/SSL for some protocols like ldap and http, certificates are not validated at all. When having a "tls cafile" option, configured certificate is not used to validate the server certificate. - CVE-2016-2114 (man-in-the-middle) It was found that Samba based active directory domain controller does not enforce smb signing and opens possibility for man-in-the-middle attacks. When Samba is configured as a Domain Controller, the default for the "server signing" should be "mandatory". During the early development of Samba 4 a new experimental file server located under source4/smb_server was used. But before the final 4.0.0 release upstream switched back to the file server under source3/smbd. But the logic for the correct default of "server signing" was not ported. - CVE-2016-2115 (man-in-the-middle) It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. - CVE-2016-2118 (man-in-the-middle) It was reported that various samba versions are vulnerable to man in the middle attack where attacker can intercept any DCERPC traffic between a client and a server in order to impersonate the client and get the same privileges as the authenticated user account. This is most problematic against active directory domain controllers. Impact ====== A remote attacker on the same network is able to perform a man-in-the-middle and denial of service attack, disclose sensitive information and, under certain circumstances, possibly execute arbitrary code. References ========== https://access.redhat.com/security/cve/CVE-2015-5370 https://access.redhat.com/security/cve/CVE-2016-2110 https://access.redhat.com/security/cve/CVE-2016-2111 https://access.redhat.com/security/cve/CVE-2016-2112 https://access.redhat.com/security/cve/CVE-2016-2113 https://access.redhat.com/security/cve/CVE-2016-2114 https://access.redhat.com/security/cve/CVE-2016-2115 https://access.redhat.com/security/cve/CVE-2016-2118 https://www.samba.org/samba/security/CVE-2015-5370.html https://www.samba.org/samba/security/CVE-2016-2110.html https://www.samba.org/samba/security/CVE-2016-2111.html https://www.samba.org/samba/security/CVE-2016-2112.html https://www.samba.org/samba/security/CVE-2016-2113.html https://www.samba.org/samba/security/CVE-2016-2114.html https://www.samba.org/samba/security/CVE-2016-2115.html https://www.samba.org/samba/security/CVE-2016-2118.html