1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2016-2112.html:</H2>
15 =============================================================================
16 == Subject: The LDAP client and server don't enforce integrity protection
18 == CVE ID#: CVE-2016-2112
20 == Versions: Samba 3.0.0 to 4.4.0
22 == Summary: A man in the middle is able to downgrade LDAP connections
23 == to no integrity protection. It's possible to attack
24 == client and server with this.
26 =============================================================================
32 Samba uses various LDAP client libraries, a builtin one and/or the system
33 ldap libraries (typically openldap).
35 As active directory domain controller Samba also provides an LDAP server.
37 Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
38 for LDAP connections, including possible integrity (sign) and privacy (seal)
41 Samba has support for an option called "client ldap sasl wrapping" since version
42 3.2.0. Its default value has changed from "plain" to "sign" with version 4.2.0.
44 Tools using the builtin LDAP client library do not obey the
45 "client ldap sasl wrapping" option. This applies to tools like:
46 "samba-tool", "ldbsearch", "ldbedit" and more. Some of them have command line
47 options like "--sign" and "--encrypt". With the security update they will
48 also obey the "client ldap sasl wrapping" option as default.
50 In all cases, even if explicitly request via "client ldap sasl wrapping",
51 "--sign" or "--encrypt", the protection can be downgraded by a man in the
54 The LDAP server doesn't have an option to enforce strong authentication
55 yet. The security patches will introduce a new option called
56 "ldap server require strong auth", possible values are "no",
57 "allow_sasl_over_tls" and "yes".
59 As the default behavior was as "no" before, you may
60 have to explicitly change this option until all clients have
61 been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
62 Windows clients and Samba member servers already use
69 ldap server require strong auth (G)
71 The ldap server require strong auth defines whether the
72 ldap server requires ldap traffic to be signed or
73 signed and encrypted (sealed). Possible values are no,
74 allow_sasl_over_tls and yes.
76 A value of no allows simple and sasl binds over all transports.
78 A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
79 over TLS encrypted connections. Unencrypted connections only
80 allow sasl binds with sign or seal.
82 A value of yes allows only simple binds over TLS encrypted connections.
83 Unencrypted connections only allow sasl binds with sign or seal.
85 Default: ldap server require strong auth = yes
91 Tools like "samba-tool", "ldbsearch", "ldbedit" and more obey the
92 default of "client ldap sasl wrapping = sign". Even with
93 "client ldap sasl wrapping = plain" they will automatically upgrade
94 to "sign" when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
101 A patch addressing this defect has been posted to
103 https://www.samba.org/samba/security/
105 Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
106 security releases to correct the defect. Samba vendors and administrators
107 running affected versions are advised to upgrade or apply the patch as
110 Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
111 but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
123 This vulnerability was discovered and researched by Stefan Metzmacher of
124 SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
125 He provides the fixes in collaboration with the Samba Team.