1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
5 <title>Samba 4.4.1 - Release Notes</title>
8 <H2>Samba 4.4.1 Available for Download</H2>
10 <a href="https://download.samba.org/pub/samba/stable/samba-4.4.1.tar.gz">Samba 4.4.1 (gzipped)</a><br>
11 <a href="https://download.samba.org/pub/samba/stable/samba-4.4.1.tar.asc">Signature</a>
14 <a href="https://download.samba.org/pub/samba/patches/samba-4.4.0-4.4.1.diffs.gz">Patch (gzipped) against Samba 4.4.0</a><br>
15 <a href="https://download.samba.org/pub/samba/patches/samba-4.4.0-4.4.1.diffs.asc">Signature</a>
19 =============================
20 Release Notes for Samba 4.4.1
22 =============================
25 This is a security release in order to address the following CVEs:
27 o CVE-2015-5370 (Multiple errors in DCE-RPC code)
29 o CVE-2016-2110 (Man in the middle attacks possible with NTLMSSP)
31 o CVE-2016-2111 (NETLOGON Spoofing Vulnerability)
33 o CVE-2016-2112 (LDAP client and server don't enforce integrity)
35 o CVE-2016-2113 (Missing TLS certificate validation)
37 o CVE-2016-2114 ("server signing = mandatory" not enforced)
39 o CVE-2016-2115 (SMB IPC traffic is not integrity protected)
41 o CVE-2016-2118 (SAMR and LSA man in the middle attacks possible)
43 The number of changes are rather huge for a security release,
44 compared to typical security releases.
46 Given the number of problems and the fact that they are all related
47 to man in the middle attacks we decided to fix them all at once
48 instead of splitting them.
50 In order to prevent the man in the middle attacks it was required
51 to change the (default) behavior for some protocols. Please see the
52 "New smb.conf options" and "Behavior changes" sections below.
60 Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to
61 denial of service attacks (crashes and high cpu consumption)
62 in the DCE-RPC client and server implementations. In addition,
63 errors in validation of the DCE-RPC packets can lead to a downgrade
64 of a secure connection to an insecure one.
66 The above applies all possible server roles Samba can operate in.
68 Note that versions before 3.6.0 had completely different marshalling
69 functions for the generic DCE-RPC layer. It's quite possible that
70 that code has similar problems!
72 The downgrade of a secure connection to an insecure one may
73 allow an attacker to take control of Active Directory object
74 handles created on a connection created from an Administrator
75 account and re-use them on the now non-privileged connection,
76 compromising the security of the Samba AD-DC.
80 There are several man in the middle attacks possible with
81 NTLMSSP authentication.
83 E.g. NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL
84 can be cleared by a man in the middle.
86 This was by protocol design in earlier Windows versions.
88 Windows Server 2003 RTM and Vista RTM introduced a way
89 to protect against the trivial downgrade.
91 See MsvAvFlags and flag 0x00000002 in
92 https://msdn.microsoft.com/en-us/library/cc236646.aspx
94 This new feature also implies support for a mechlistMIC
95 when used within SPNEGO, which may prevent downgrades
96 from other SPNEGO mechs, e.g. Kerberos, if sign or
97 seal is finally negotiated.
99 The Samba implementation doesn't enforce the existence of
100 required flags, which were requested by the application layer,
101 e.g. LDAP or SMB1 encryption (via the unix extensions).
102 As a result a man in the middle can take over the connection.
103 It is also possible to misguide client and/or
104 server to send unencrypted traffic even if encryption
105 was explicitly requested.
107 LDAP (with NTLMSSP authentication) is used as a client
108 by various admin tools of the Samba project,
109 e.g. "net", "samba-tool", "ldbsearch", "ldbedit", ...
111 As an active directory member server LDAP is also used
112 by the winbindd service when connecting to domain controllers.
114 Samba also offers an LDAP server when running as
115 active directory domain controller.
117 The NTLMSSP authentication used by the SMB1 encryption
118 is protected by smb signing, see CVE-2015-5296.
122 It's basically the same as CVE-2015-0005 for Windows:
124 The NETLOGON service in Microsoft Windows Server 2003 SP2,
125 Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold
126 and R2, when a Domain Controller is configured, allows remote
127 attackers to spoof the computer name of a secure channel's
128 endpoint, and obtain sensitive session information, by running a
129 crafted application and leveraging the ability to sniff network
130 traffic, aka "NETLOGON Spoofing Vulnerability".
132 The vulnerability in Samba is worse as it doesn't require
133 credentials of a computer account in the domain.
135 This only applies to Samba running as classic primary domain controller,
136 classic backup domain controller or active directory domain controller.
138 The security patches introduce a new option called "raw NTLMv2 auth"
139 ("yes" or "no") for the [global] section in smb.conf.
140 Samba (the smbd process) will reject client using raw NTLMv2
141 without using NTLMSSP.
143 Note that this option also applies to Samba running as
144 standalone server and member server.
146 You should also consider using "lanman auth = no" (which is already the default)
147 and "ntlm auth = no". Have a look at the smb.conf manpage for further details,
148 as they might impact compatibility with older clients. These also
149 apply for all server roles.
153 Samba uses various LDAP client libraries, a builtin one and/or the system
154 ldap libraries (typically openldap).
156 As active directory domain controller Samba also provides an LDAP server.
158 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
159 for LDAP connections, including possible integrity (sign) and privacy (seal)
162 Samba has support for an option called "client ldap sasl wrapping" since version
163 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
165 Tools using the builtin LDAP client library do not obey the
166 "client ldap sasl wrapping" option. This applies to tools like:
167 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
168 options like "--sign" and "--encrypt". With the security update they will
169 also obey the "client ldap sasl wrapping" option as default.
171 In all cases, even if explicitly request via "client ldap sasl wrapping",
172 "--sign" or "--encrypt", the protection can be downgraded by a man in the
175 The LDAP server doesn't have an option to enforce strong authentication
176 yet. The security patches will introduce a new option called
177 "ldap server require strong auth", possible values are "no",
178 "allow_sasl_over_tls" and "yes".
180 As the default behavior was as "no" before, you may
181 have to explicitly change this option until all clients have
182 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
183 Windows clients and Samba member servers already use
184 integrity protection.
188 Samba has support for TLS/SSL for some protocols:
189 ldap and http, but currently certificates are not
190 validated at all. While we have a "tls cafile" option,
191 the configured certificate is not used to validate
192 the server certificate.
194 This applies to ldaps:// connections triggered by tools like:
195 "ldbsearch", "ldbedit" and more. Note that it only applies
196 to the ldb tools when they are built as part of Samba or with Samba
197 extensions installed, which means the Samba builtin LDAP client library is
200 It also applies to dcerpc client connections using ncacn_http (with https://),
201 which are only used by the openchange project. Support for ncacn_http
202 was introduced in version 4.2.0.
204 The security patches will introduce a new option called
205 "tls verify peer". Possible values are "no_check", "ca_only",
206 "ca_and_name_if_available", "ca_and_name" and "as_strict_as_possible".
208 If you use the self-signed certificates which are auto-generated
209 by Samba, you won't have a crl file and need to explicitly
210 set "tls verify peer = ca_and_name".
214 Due to a regression introduced in Samba 4.0.0,
215 an explicit "server signing = mandatory" in the [global] section
216 of the smb.conf was not enforced for clients using the SMB1 protocol.
218 As a result it does not enforce smb signing and allows man in the middle attacks.
220 This problem applies to all possible server roles:
221 standalone server, member server, classic primary domain controller,
222 classic backup domain controller and active directory domain controller.
224 In addition, when Samba is configured with "server role = active directory domain controller"
225 the effective default for the "server signing" option should be "mandatory".
227 During the early development of Samba 4 we had a new experimental
228 file server located under source4/smb_server. But before
229 the final 4.0.0 release we switched back to the file server
232 But the logic for the correct default of "server signing" was not
233 ported correctly ported.
235 Note that the default for server roles other than active directory domain
236 controller, is "off" because of performance reasons.
240 Samba has an option called "client signing", this is turned off by default
241 for performance reasons on file transfers.
243 This option is also used when using DCERPC with ncacn_np.
245 In order to get integrity protection for ipc related communication
246 by default the "client ipc signing" option is introduced.
247 The effective default for this new option is "mandatory".
249 In order to be compatible with more SMB server implementations,
250 the following additional options are introduced:
251 "client ipc min protocol" ("NT1" by default) and
252 "client ipc max protocol" (the highest support SMB2/3 dialect by default).
253 These options overwrite the "client min protocol" and "client max protocol"
254 options, because the default for "client max protocol" is still "NT1".
255 The reason for this is the fact that all SMB2/3 support SMB signing,
256 while there are still SMB1 implementations which don't offer SMB signing
257 by default (this includes Samba versions before 4.0.0).
259 Note that winbindd (in versions 4.2.0 and higher) enforces SMB signing
260 against active directory domain controllers despite of the
261 "client signing" and "client ipc signing" options.
263 o CVE-2016-2118 (a.k.a. BADLOCK):
265 The Security Account Manager Remote Protocol [MS-SAMR] and the
266 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
267 are both vulnerable to man in the middle attacks. Both are application level
268 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
270 These protocols are typically available on all Windows installations
271 as well as every Samba server. They are used to maintain
272 the Security Account Manager Database. This applies to all
273 roles, e.g. standalone, domain member, domain controller.
275 Any authenticated DCERPC connection a client initiates against a server
276 can be used by a man in the middle to impersonate the authenticated user
277 against the SAMR or LSAD service on the server.
279 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
280 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
281 in this case. A man in the middle can change auth level to CONNECT
282 (which means authentication without message protection) and take over
285 As a result, a man in the middle is able to get read/write access to the
286 Security Account Manager Database, which reveals all passwords
287 and any other potential sensitive information.
289 Samba running as an active directory domain controller is additionally
290 missing checks to enforce PKT_PRIVACY for the
291 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
292 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
293 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
294 is not enforcing at least PKT_INTEGRITY.
300 allow dcerpc auth level connect (G)
302 This option controls whether DCERPC services are allowed to be used with
303 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
304 message integrity nor privacy protection.
306 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
307 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
309 The behavior can be overwritten per interface name (e.g. lsarpc,
310 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
311 'allow dcerpc auth level connect:interface = yes' as option.
313 This option yields precedence to the implementation specific restrictions.
314 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
315 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
317 Default: allow dcerpc auth level connect = no
319 Example: allow dcerpc auth level connect = yes
321 client ipc signing (G)
323 This controls whether the client is allowed or required to use
324 SMB signing for IPC$ connections as DCERPC transport. Possible
325 values are auto, mandatory and disabled.
327 When set to mandatory or default, SMB signing is required.
329 When set to auto, SMB signing is offered, but not enforced and
330 if set to disabled, SMB signing is not offered either.
332 Connections from winbindd to Active Directory Domain Controllers
333 always enforce signing.
335 Default: client ipc signing = default
337 client ipc max protocol (G)
339 The value of the parameter (a string) is the highest protocol level that will
340 be supported for IPC$ connections as DCERPC transport.
342 Normally this option should not be set as the automatic negotiation phase
343 in the SMB protocol takes care of choosing the appropriate protocol.
345 The value default refers to the latest supported protocol, currently SMB3_11.
347 See client max protocol for a full list of available protocols.
348 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
350 Default: client ipc max protocol = default
352 Example: client ipc max protocol = SMB2_10
354 client ipc min protocol (G)
356 This setting controls the minimum protocol version that the will be
357 attempted to use for IPC$ connections as DCERPC transport.
359 Normally this option should not be set as the automatic negotiation phase
360 in the SMB protocol takes care of choosing the appropriate protocol.
362 The value default refers to the higher value of NT1 and the
363 effective value of "client min protocol".
365 See client max protocol for a full list of available protocols.
366 The values CORE, COREPLUS, LANMAN1, LANMAN2 are silently upgraded to NT1.
368 Default: client ipc min protocol = default
370 Example: client ipc min protocol = SMB3_11
372 ldap server require strong auth (G)
374 The ldap server require strong auth defines whether the
375 ldap server requires ldap traffic to be signed or
376 signed and encrypted (sealed). Possible values are no,
377 allow_sasl_over_tls and yes.
379 A value of no allows simple and sasl binds over all transports.
381 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
382 over TLS encrypted connections. Unencrypted connections only
383 allow sasl binds with sign or seal.
385 A value of yes allows only simple binds over TLS encrypted connections.
386 Unencrypted connections only allow sasl binds with sign or seal.
388 Default: ldap server require strong auth = yes
392 This parameter determines whether or not smbd(8) will allow SMB1 clients
393 without extended security (without SPNEGO) to use NTLMv2 authentication.
395 If this option, lanman auth and ntlm auth are all disabled, then only
396 clients with SPNEGO support will be permitted. That means NTLMv2 is only
397 supported within NTLMSSP.
399 Default: raw NTLMv2 auth = no
403 This controls if and how strict the client will verify the peer's
404 certificate and name. Possible values are (in increasing order): no_check,
405 ca_only, ca_and_name_if_available, ca_and_name and as_strict_as_possible.
407 When set to no_check the certificate is not verified at all,
408 which allows trivial man in the middle attacks.
410 When set to ca_only the certificate is verified to be signed from a ca
411 specified in the "tls ca file" option. Setting "tls ca file" to a valid file
412 is required. The certificate lifetime is also verified. If the "tls crl file"
413 option is configured, the certificate is also verified against
416 When set to ca_and_name_if_available all checks from ca_only are performed.
417 In addition, the peer hostname is verified against the certificate's
418 name, if it is provided by the application layer and not given as
419 an ip address string.
421 When set to ca_and_name all checks from ca_and_name_if_available are performed.
422 In addition the peer hostname needs to be provided and even an ip
423 address is checked against the certificate's name.
425 When set to as_strict_as_possible all checks from ca_and_name are performed.
426 In addition the "tls crl file" needs to be configured. Future versions
427 of Samba may implement additional checks.
429 Default: tls verify peer = as_strict_as_possible
431 tls priority (G) (backported from Samba 4.3 to Samba 4.2)
433 This option can be set to a string describing the TLS protocols to be
434 supported in the parts of Samba that use GnuTLS, specifically the AD DC.
436 The default turns off SSLv3, as this protocol is no longer considered
437 secure after CVE-2014-3566 (otherwise known as POODLE) impacted SSLv3 use
438 in HTTPS applications.
440 The valid options are described in the GNUTLS Priority-Strings
441 documentation at http://gnutls.org/manual/html_node/Priority-Strings.html
443 Default: tls priority = NORMAL:-VERS-SSL3.0
449 o The default auth level for authenticated binds has changed from
450 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
451 That means ncacn_ip_tcp:server is now implicitly the same
452 as ncacn_ip_tcp:server[sign] and offers a similar protection
453 as ncacn_np:server, which relies on smb signing.
455 o The following constraints are applied to SMB1 connections:
457 - "client lanman auth = yes" is now consistently
458 required for authenticated connections using the
459 SMB1 LANMAN2 dialect.
460 - "client ntlmv2 auth = yes" and "client use spnego = yes"
461 (both the default values), require extended security (SPNEGO)
462 support from the server. That means NTLMv2 is only used within
465 o Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
466 default of "client ldap sasl wrapping = sign". Even with
467 "client ldap sasl wrapping = plain" they will automatically upgrade
468 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
474 o Jeremy Allison <jra@samba.org>
475 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
477 o Christian Ambach <ambi@samba.org>
478 * Bug 11804 - prerequisite backports for the security release on
481 o Ralph Boehme <slow@samba.org>
482 * Bug 11644 - CVE-2016-2112: The LDAP client and server don't enforce
483 integrity protection.
485 o Günther Deschner <gd@samba.org>
486 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
488 * Bug 11804 - prerequisite backports for the security release on
491 o Volker Lendecke <vl@samba.org>
492 * Bug 11804 - prerequisite backports for the security release on
495 o Stefan Metzmacher <metze@samba.org>
496 * Bug 11344 - CVE-2015-5370: Multiple errors in DCE-RPC code.
498 * Bug 11616 - CVE-2016-2118: SAMR and LSA man in the middle attacks possible.
500 * Bug 11644 - CVE-2016-2112: The LDAP client and server doesn't enforce
501 integrity protection.
503 * Bug 11687 - CVE-2016-2114: "server signing = mandatory" not enforced.
505 * Bug 11688 - CVE-2016-2110: Man in the middle attacks possible with NTLMSSP.
507 * Bug 11749 - CVE-2016-2111: NETLOGON Spoofing Vulnerability.
509 * Bug 11752 - CVE-2016-2113: Missing TLS certificate validation allows man in
512 * Bug 11756 - CVE-2016-2115: SMB client connections for IPC traffic are not
515 * Bug 11804 - prerequisite backports for the security release on