1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2016-2118.html:</H2>
15 ===============================================================
16 == Subject: SAMR and LSA man in the middle attacks possible
18 == CVE ID#: CVE-2016-2118 (a.k.a. BADLOCK)
20 == Versions: Samba 3.6.0 to 4.4.0
22 == Summary: A man in the middle can intercept any DCERPC
23 == traffic between a client and a server in order to
24 == impersonate the client and get the same privileges
25 == as the authenticated user account. This is
26 == most problematic against active directory
27 == domain controllers.
29 ===========================================================
35 The Security Account Manager Remote Protocol [MS-SAMR] and the
36 Local Security Authority (Domain Policy) Remote Protocol [MS-LSAD]
37 are both vulnerable to man in the middle attacks. Both are application level
38 protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
40 These protocols are typically available on all Windows installations
41 as well as every Samba server. They are used to maintain
42 the Security Account Manager Database. This applies to all
43 roles, e.g. standalone, domain member, domain controller.
45 Any authenticated DCERPC connection a client initiates against a server
46 can be used by a man in the middle to impersonate the authenticated user
47 against the SAMR or LSAD service on the server.
49 The client chosen application protocol, auth type (e.g. Kerberos or NTLMSSP)
50 and auth level (NONE, CONNECT, PKT_INTEGRITY, PKT_PRIVACY) do not matter
51 in this case. A man in the middle can change auth level to CONNECT
52 (which means authentication without message protection) and take over
55 As a result, a man in the middle is able to get read/write access to the
56 Security Account Manager Database, which reveals all passwords
57 and any other potential sensitive information.
59 Samba running as an active directory domain controller is additionally
60 missing checks to enforce PKT_PRIVACY for the
61 Directory Replication Service Remote Protocol [MS-DRSR] (drsuapi)
62 and the BackupKey Remote Protocol [MS-BKRP] (backupkey).
63 The Domain Name Service Server Management Protocol [MS-DNSP] (dnsserver)
64 is not enforcing at least PKT_INTEGRITY.
70 allow dcerpc auth level connect (G)
72 This option controls whether DCERPC services are allowed to be used with
73 DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per
74 message integrity nor privacy protection.
76 Some interfaces like samr, lsarpc and netlogon have a hard-coded default
77 of no and epmapper, mgmt and rpcecho have a hard-coded default of yes.
79 The behavior can be overwritten per interface name (e.g. lsarpc,
80 netlogon, samr, srvsvc, winreg, wkssvc ...) by using
81 'allow dcerpc auth level connect:interface = yes' as option.
83 This option yields precedence to the implementation specific restrictions.
84 E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
85 The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
87 Default: allow dcerpc auth level connect = no
89 Example: allow dcerpc auth level connect = yes
91 =======================
92 Binding string handling
93 =======================
95 The default auth level for authenticated binds has changed from
96 DCERPC_AUTH_LEVEL_CONNECT to DCERPC_AUTH_LEVEL_INTEGRITY.
97 That means ncacn_ip_tcp:server is now implicitly the same
98 as ncacn_ip_tcp:server[sign] and offers a similar protection
99 as ncacn_np:server, which relies on smb signing.
105 A patch addressing this defect has been posted to
107 https://www.samba.org/samba/security/
109 Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
110 security releases to correct the defect. Samba vendors and administrators
111 running affected versions are advised to upgrade or apply the patch as
114 Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
115 but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
121 You may lower risk by avoiding to login/authenticate with privileged accounts
122 over unprotected networks. Privileged accounts should only be used on the physical
123 console (server) console, so that authentication does not involve any network
126 If the machine is acting as client workstation you may restrict any incoming
127 network traffic by a firewall.
129 ===========================
130 Vendor Specific Information
131 ===========================
133 As this a multi-vendor problem we have decided to use one CVE number
136 * For Samba it is CVE-2016-2118 (this one).
137 * For Windows see CVE-2016-0128.
143 This vulnerability was discovered and researched by Stefan Metzmacher of
144 SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
145 He provides the fixes in collaboration with the Samba Team.