1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2015-5296.html:</H2>
15 ===========================================================
16 == Subject: Samba client requesting encryption vulnerable
17 == to downgrade attack.
19 == CVE ID#: CVE-2015-5296
21 == Versions: Samba versions 3.2.0 to 4.3.2
23 == Summary: Requesting encryption should also request
24 == signing when setting up the connection to
25 == protect against man-in-the-middle attacks.
27 ===========================================================
33 Versions of Samba from 3.2.0 to 4.3.2 inclusive do not ensure that
34 signing is negotiated when creating an encrypted client connection to
37 Without this a man-in-the-middle attack could downgrade the connection
38 and connect using the supplied credentials as an unsigned, unencrypted
45 Patches addressing this defect have been posted to
47 https://www.samba.org/samba/history/security.html
49 Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as
50 security releases to correct the defect.
51 Samba vendors and administrators running affected versions are
52 advised to upgrade or apply the patch as soon as possible.
58 When using the smbclient command, always add the argument
59 "--signing=required" when using the "-e" or "--encrypt" argument.
61 Alternatively, set the variable "client signing = mandatory" in the
62 [global] section of the smb.conf file on any client using encrypted
65 To protect a Samba server exporting encrypted shares against a
66 downgrade attack set the variable "smb encrypt = mandatory" in the
67 smb.conf definition of the encrypted shares.
73 This problem was found by Stefan Metzmacher <metze@samba.org> of
74 SerNet (www.sernet.com) and the Samba Team, who also provided the