Linux News Today: Samba Patched Against Important SMB2/3 Client Security Issue, Update Now
Today, July 7, 2016, the Samba development team has announced the immediate availability for download of the Samba 4.4.5, 4.3.11, and 4.2.14 maintenance updates.
According to the release notes, these are security releases that have been pushed to address an issue where the client side SMB2/3 required signing can be downgraded, which has been fully documented at CVE-2016-2119.
“It’s possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags,” reads today’s security advisory.
In layman’s terms, this means that an attacker can impersonate a server that users can connect to using Samba, an open-source re-implementation of the SMB/CIFS networking protocol, and then deliver malicious results.
The issue affects components like winbindd, which uses DCE/RPC (Distributed Computing Environment / Remote Procedure Calls) over SMB2 when communicating with trusted domains as a domain controller, or with domain controllers as a member server.
The DCE/RPC connections were designed from the ground up to be secure, protected by the combination of “client ipc max protocol” and “client ipc signing” parameters.
samba-tool and rpcclient are also affected
Moreover, it appears that Samba management tools like samba-tool and rpcclient are also affected by this security issues where the SMB2/3 required signing can be downgraded, as they also use DCE/RPC over SMB2/3 connections.
And, according to the security advisory, several other Samba tools remain unprotected, but they don’t use SMB2/3 signing through the “client signing” parameter. Among these, we can mention smbclient, smbget, smbcacls, and smbcquota.
Any other applications using the libsmbclient library and meeting the conditions mentioned above could also be unprotected, so it is recommended that you update Samba to the new versions released today.