1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2016-2124.html:</H2>
15 =====================================================================================
16 == Subject: SMB1 client connections can be downgraded to plaintext authentication
18 == CVE ID#: CVE-2016-2124
20 == Versions: Samba 3.0.0 to 4.15.1
22 == Summary: A man in the middle attack can force the client side SMB1 code
23 == to fall-back to plaintext or NTLM based authentication even if
24 == Kerberos authentication was requested by the user or application.
26 =====================================================================================
32 An attacker can downgrade a negotiated SMB1 client connection and its
33 capabitilities. Kerberos authentication is only possible with the
34 SMB2/3 protocol or SMB1 using the NT1 dialect and the extended
35 security (spnego) capability. Without mandatory SMB signing the
36 protocol can be downgraded to an older insecure dialect like CORE,
37 COREPLUS/CORE+, LANMAN1 or LANMAN2. Even if SMB signing is required
38 it's still possible to downgrade to the NT1 dialect if extended
39 security (spnego) is not negotiated.
41 The attacker is able to get the plaintext password sent over the
42 wire even if Kerberos authentication was required.
44 The problem is only possible if all of the following options are
45 explicitly set together:
47 client NTLMv2 auth = no
48 client lanman auth = yes
49 client plaintext auth = yes
50 client min protocol = NT1 # or lower
52 In currently supported Samba versions all of the above options
53 have different default values, so the problem is very unlikely
56 Samba 4.5 and older had an additional problem, even in the default
57 configuration, as they send ntlmv2, ntlm or lanman responses.
58 Which means the attacker might be able to do offline attacks in order
59 to recover the plaintext password, lmhash or nthash values.
61 Requiring Kerberos authentication for SMB1/2/3 connections can be controlled
62 by the '-k'/'--kerberos' or '-k yes'/'--kerberos=yes' command line options of
63 various tools like: smbclient, smbcquotas, smbcacls, net, rpcclient,
64 samba-tool and others. Note that 4.15 deprecated '-k/--kerberos*'
65 and introduced '--use-kerberos=required' command line option
66 as well as the smb.conf option "client use kerberos = required".
68 For libsmbclient based applications the usage of Kerberos is controlled by
69 the following function calls: smbc_setOptionUseKerberos(),
70 smbc_setOptionFallbackAfterKerberos() and smbc_setOptionNoAutoAnonymousLogin().
76 A patch addressing this defect has been posted to
78 https://www.samba.org/samba/security/
80 Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued as
81 security releases to correct the defect. Samba vendors and administrators
82 running affected versions are advised to upgrade or apply the patch as
89 Ensure the following [global] smb.conf parameters are set
90 to their default values as shown below:
92 client lanman auth = no
93 client NTLMv2 auth = yes
94 client plaintext auth = no
95 client min protocol = SMB2_02
97 Or use the '-k' command line option only without the -U option,
98 which will make use of an existing krb5 ccache.
104 This vulnerability was discovered and researched by Stefan Metzmacher of
105 SerNet (https://samba.plus) and the Samba Team (https://www.samba.org),
106 who also provides the fixes.
108 ==========================================================
109 == Our Code, Our Bugs, Our Responsibility.
111 ==========================================================