libcli/smb/smbXcli_base.c in Samba 4.x before 4.2.14, 4.3.x before 4.3.11, and 4.4.x before 4.4.5 allows man-in-the-middle attackers to bypass a client-signing protection mechanism, and consequently spoof SMB2 and SMB3 servers, via the (1) SMB2_SESSION_FLAG_IS_GUEST or (2) SMB2_SESSION_FLAG_IS_NULL flag.

The remote NewStart CGSL host, running version MAIN 6.02, has samba packages installed that are affected by multiple vulnerabilities:

  - Multiple heap-based buffer overflows in the NDR parsing in smbd in Samba 3.0.0 through 3.0.25rc3 allow     remote attackers to execute arbitrary code via crafted MS-RPC requests involving (1) DFSEnum     (netdfs_io_dfs_EnumInfo_d), (2) RFNPCNEX (smb_io_notify_option_type_data), (3) LsarAddPrivilegesToAccount     (lsa_io_privilege_set), (4) NetSetFileSecurity (sec_io_acl), or (5) LsarLookupSids/LsarLookupSids2     (lsa_io_trans_names). (CVE-2007-2446)

  - The MS-RPC functionality in smbd in Samba 3.0.0 through 3.0.25rc3 allows remote attackers to execute     arbitrary commands via shell metacharacters involving the (1) SamrChangePassword function, when the     username map script smb.conf option is enabled, and allows remote authenticated users to execute     commands via shell metacharacters involving other MS-RPC functions in the (2) remote printer and (3) file     share management. (CVE-2007-2447)

  - Heap-based buffer overflow in the receive_smb_raw function in util/sock.c in Samba 3.0.0 through 3.0.29     allows remote attackers to execute arbitrary code via a crafted SMB response. (CVE-2008-1105)

  - Samba 3.4 before 3.4.2, 3.3 before 3.3.8, 3.2 before 3.2.15, and 3.0.12 through 3.0.36, as used in the SMB     subsystem in Apple Mac OS X 10.5.8 when Windows File Sharing is enabled, Fedora 11, and other operating     systems, does not properly handle errors in resolving pathnames, which allows remote authenticated users     to bypass intended sharing restrictions, and read, create, or modify files, in certain circumstances     involving user accounts that lack home directories. (CVE-2009-2813)

  - smbd in Samba 3.0 before 3.0.37, 3.2 before 3.2.15, 3.3 before 3.3.8, and 3.4 before 3.4.2 allows remote     authenticated users to cause a denial of service (infinite loop) via an unanticipated oplock break     notification reply packet. (CVE-2009-2906)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote host is affected by the vulnerability described in GLSA-201805-07 (Samba: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in Samba. Please review       the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could possibly execute arbitrary code, cause a Denial       of Service condition, conduct a man-in-the-middle attack, or obtain       sensitive information.
  Workaround :

    There is no known workaround at this time.

According to the version of the samba packages installed, the EulerOS installation on the remote host is affected by the following vulnerability :

  - A flaw was found in the way Samba initiated signed     DCE/RPC connections. A man-in-the-middle attacker could     use this flaw to downgrade the connection to not use     signing and therefore impersonate the server.
    (CVE-2016-2119)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file, print, and login server for Unix. The Common Vulnerabilities and Exposures project identifies the following issues :

  - CVE-2016-2119     Stefan Metzmacher discovered that client-side SMB2/3     required signing can be downgraded, allowing a     man-in-the-middle attacker to impersonate a server being     connected to by Samba, and return malicious results.

  - CVE-2016-2123     Trend Micro's Zero Day Initiative and Frederic Besler     discovered that the routine ndr_pull_dnsp_name, used to     parse data from the Samba Active Directory ldb database,     contains an integer overflow flaw, leading to an     attacker-controlled memory overwrite. An authenticated     user can take advantage of this flaw for remote     privilege escalation.

  - CVE-2016-2125     Simo Sorce of Red Hat discovered that the Samba client     code always requests a forwardable ticket when using     Kerberos authentication. A target server, which must be     in the current or trusted domain/realm, is given a valid     general purpose Kerberos 'Ticket Granting Ticket' (TGT),     which can be used to fully impersonate the authenticated     user or service.

  - CVE-2016-2126     Volker Lendecke discovered several flaws in the Kerberos     PAC validation. A remote, authenticated, attacker can     cause the winbindd process to crash using a legitimate     Kerberos ticket due to incorrect handling of the PAC     checksum. A local service with access to the winbindd     privileged pipe can cause winbindd to cache elevated     access permissions.

According to its banner, the version of Samba running on the remote host is 4.2.x prior to 4.2.14, 4.3.x prior to 4.3.11, or 4.4.x prior to 4.4.5. Therefore, it is affected by a flaw within 'libcli/smb/smbXcli_base.c' that is triggered when handling SMB2/3 client connections. This may allow a MitM attacker to downgrade the required signing for a SMB2/3 client connection.

This update for samba provides the following fix: Following security issue was fixed :

  - CVE-2016-2119: Prevent client-side SMB2 signing     downgrade. (bsc#986869) Also the following bugs were     fixed :

  - Fix possible ctdb crash when opening sockets with     htons(IPPROTO_RAW). (bsc#969522)

  - Honor smb.conf socket options in winbind. (bsc#975131)

  - Fix ntlm-auth segmentation fault with squid.
    (bsc#986228)

  - Implement new '--no-dns-updates' option in 'net ads'     command. (bsc#991564)

  - Fix population of ctdb sysconfig after source merge.
    (bsc#981566)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Ubuntu 14.04 LTS / 16.04 LTS host has packages installed that are affected by a vulnerability as referenced in the USN-3092-1 advisory.

    Stefan Metzmacher discovered that Samba incorrectly handled certain flags in SMB2/3 client connections. A     remote attacker could use this issue to disable client signing and impersonate servers by performing a     machine-in-the-middle attack.

    Samba has been updated to 4.3.11 in Ubuntu 14.04 LTS and Ubuntu 16.04 LTS. In addition to the security     fix, the updated packages contain bug fixes, new features, and possibly incompatible changes.

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

This update for samba provides the following fixes :

  - CVE-2016-2119: Prevent client-side SMB2 signing     downgrade. (bsc#986869)

  - Fix possible ctdb crash when opening sockets with     htons(IPPROTO_RAW). (bsc#969522)

  - Honor smb.conf socket options in winbind. (bsc#975131)

  - Fix ntlm-auth segmentation fault with squid.
    (bsc#986228)

  - Implement new '--no-dns-updates' option in 'net ads'     command. (bsc#991564)

  - Fix population of ctdb sysconfig after source merge.
    (bsc#981566) This update was imported from the     SUSE:SLE-12-SP1:Update project.

This update for samba provides the following fixes :

  - CVE-2016-2119: Prevent client-side SMB2 signing     downgrade. (bsc#986869)

  - Fix possible ctdb crash when opening sockets with     htons(IPPROTO_RAW). (bsc#969522)

  - Honor smb.conf socket options in winbind. (bsc#975131)

  - Fix ntlm-auth segmentation fault with squid.
    (bsc#986228)

  - Implement new '--no-dns-updates' option in 'net ads'     command. (bsc#991564)

  - Fix population of ctdb sysconfig after source merge.
    (bsc#981566)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server.

The remote Redhat Enterprise Linux 6 / 7 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2016:1494 advisory.

    Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common     Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and     various information.

    Security Fix(es):

    * A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker     could use this flaw to downgrade the connection to not use signing and therefore impersonate the server.
    (CVE-2016-2119)

    Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan     Metzmacher as the original reporter.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Security Fix(es) :

  - A flaw was found in the way Samba initiated signed     DCE/RPC connections. A man-in-the-middle attacker could     use this flaw to downgrade the connection to not use     signing and therefore impersonate the server.
    (CVE-2016-2119)

Bug Fix(es) :

  - Previously, the 'net' command in some cases failed to     join the client to Active Directory (AD) because the     permissions setting prevented modification of the     supported Kerberos encryption type LDAP attribute. With     this update, Samba has been fixed to allow joining an AD     domain as a user. In addition, Samba now uses the     machine account credentials to set up the Kerberos     encryption types within AD for the joined machine. As a     result, using 'net' to join a domain now works more     reliably.

  - Previously, the idmap_hash module worked incorrectly     when it was used together with other modules. As a     consequence, user and group IDs were not mapped     properly. A patch has been applied to skip already     configured modules. Now, the hash module can be used as     the default idmap configuration back end and IDs are     resolved correctly.

Security Fix(es) :

  - A flaw was found in the way Samba initiated signed     DCE/RPC connections. A man-in-the-middle attacker could     use this flaw to downgrade the connection to not use     signing and therefore impersonate the server.
    (CVE-2016-2119)

An update for samba is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Samba is an open source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.

Security Fix(es) :

* A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. (CVE-2016-2119)

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher as the original reporter.

Bug Fix(es) :

* Previously, the 'net' command in some cases failed to join the client to Active Directory (AD) because the permissions setting prevented modification of the supported Kerberos encryption type LDAP attribute. With this update, Samba has been fixed to allow joining an AD domain as a user. In addition, Samba now uses the machine account credentials to set up the Kerberos encryption types within AD for the joined machine. As a result, using 'net' to join a domain now works more reliably. (BZ#1351260)

* Previously, the idmap_hash module worked incorrectly when it was used together with other modules. As a consequence, user and group IDs were not mapped properly. A patch has been applied to skip already configured modules. Now, the hash module can be used as the default idmap configuration back end and IDs are resolved correctly.
(BZ#1350759)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-1487 advisory.

    [4.2.10-7]
    - resolves: #1351957 - Fix CVE-2016-2119

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2016-1486 advisory.

    - resolves: #1351960 - Fix CVE-2016-2119

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

An update for samba4 is now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Samba is an open source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

Security Fix(es) :

* A flaw was found in the way Samba initiated signed DCE/RPC connections. A man-in-the-middle attacker could use this flaw to downgrade the connection to not use signing and therefore impersonate the server. (CVE-2016-2119)

Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Stefan Metzmacher as the original reporter.

The version of Samba running on the remote host is 4.x prior to 4.2.14, 4.3.x prior to 4.3.11, or 4.4.x prior to 4.4.5. It is, therefore, affected by a flaw in libcli/smb/smbXcli_base.c that is triggered when handling SMB2 and SMB3 client connections. A man-in-the-middle attacker can exploit this, by injecting the SMB2_SESSION_FLAG_IS_GUEST or SMB2_SESSION_FLAG_IS_NULL flags, to downgrade the required signing for a client connection, allowing the attacker to spoof SMB2 and SMB3 servers.

This update for samba fixes the following issues :

  - Prevent client-side SMB2 signing downgrade;
    CVE-2016-2119; (bso#11860); (boo#986869).

  - Honor smb.conf socket options in winbind; (boo#975131).

  - Don't use htons() with IP_PROTO_RAW; (bso#11705);
    (boo#969522).

Security fix for CVE-2016-2119

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website.
Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Samba team reports :

A man in the middle attack can disable client signing over SMB2/3, even if enforced by configuration parameters.

New samba packages are available for Slackware 14.0, 14.1, 14.2, and
-current to fix security issues.

ID	Name	Product	Family	Severity
206855	NewStart CGSL MAIN 6.02 : samba Multiple Vulnerabilities (NS-SA-2024-0054)	Nessus	NewStart CGSL Local Security Checks	critical
109974	GLSA-201805-07 : Samba: Multiple vulnerabilities (SambaCry)	Nessus	Gentoo Local Security Checks	critical
99794	EulerOS 2.0 SP1 : samba (EulerOS-SA-2016-1031)	Nessus	Huawei Local Security Checks	high
95936	Debian DSA-3740-1 : samba - security update	Nessus	Debian Local Security Checks	high
9823	Samba 4.2.x < 4.2.14 / 4.3.x < 4.3.11 / 4.4.x < 4.4.5 MitM	Nessus Network Monitor	Samba	medium
94274	SUSE SLES12 Security Update : samba (SUSE-SU-2016:2570-1)	Nessus	SuSE Local Security Checks	high
93800	Ubuntu 14.04 LTS / 16.04 LTS : Samba vulnerability (USN-3092-1)	Nessus	Ubuntu Local Security Checks	high
93702	openSUSE Security Update : samba (openSUSE-2016-1111)	Nessus	SuSE Local Security Checks	high
93508	SUSE SLED12 / SLES12 Security Update : samba (SUSE-SU-2016:2306-1)	Nessus	SuSE Local Security Checks	high
93010	Amazon Linux AMI : samba (ALAS-2016-732)	Nessus	Amazon Linux Local Security Checks	high
92603	RHEL 6 / 7 : samba (RHSA-2016:1494)	Nessus	Red Hat Local Security Checks	high
92582	Scientific Linux Security Update : samba on SL7.x x86_64 (20160726)	Nessus	Scientific Linux Local Security Checks	high
92581	Scientific Linux Security Update : samba4 on SL6.x i386/x86_64 (20160726)	Nessus	Scientific Linux Local Security Checks	high
92579	RHEL 7 : samba (RHSA-2016:1486)	Nessus	Red Hat Local Security Checks	high
92577	Oracle Linux 6 : samba4 (ELSA-2016-1487)	Nessus	Oracle Linux Local Security Checks	high
92576	Oracle Linux 7 : samba (ELSA-2016-1486)	Nessus	Oracle Linux Local Security Checks	high
92567	CentOS 6 : samba4 (CESA-2016:1487)	Nessus	CentOS Local Security Checks	high
92566	CentOS 7 : samba (CESA-2016:1486)	Nessus	CentOS Local Security Checks	high
92553	RHEL 6 : samba4 (RHSA-2016:1487)	Nessus	Red Hat Local Security Checks	high
92466	Samba 4.x < 4.2.14 / 4.3.x < 4.3.11 / 4.4.x < 4.4.5 SMB2/3 Client Connection Required Signing Downgrade	Nessus	Misc.	high
92450	openSUSE Security Update : samba (openSUSE-2016-881)	Nessus	SuSE Local Security Checks	high
92330	Fedora 23 : 2:samba (2016-48b53757a9)	Nessus	Fedora Local Security Checks	high
92227	Fedora 24 : 2:samba (2016-0acec022f4)	Nessus	Fedora Local Security Checks	high
92027	FreeBSD : samba -- client side SMB2/3 required signing can be downgraded (4729c849-4897-11e6-b704-000c292e4fd8)	Nessus	FreeBSD Local Security Checks	high
91976	Slackware 14.0 / 14.1 / 14.2 / current : samba (SSA:2016-189-01)	Nessus	Slackware Local Security Checks	high

Detections

Analytics

CVE-2016-2119

high

Tenable Plugins

critical

critical

high

high

medium

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high

high