Detections
Analytics

Samba 4.2.x < 4.2.11 / 4.3.x < 4.3.8 / 4.4.x < 4.4.2 Multiple MitM

medium Nessus Network Monitor Plugin ID 9822

Synopsis

The remote host is running a version of Samba server that is affected by multiple MitM (Man-in-the-Middle) attack vectors.

Description

According to its banner, the version of Samba running on the remote host is 4.2.x prior to 4.2.11, 4.3.x prior to 4.3.8, or 4.4.x prior to 4.4.2. Therefore, it is affected by the following vulnerabilities :

 - A flaw exists in the DCE-RPC client that is triggered during the handling of specially crafted DCE-RPC packets. This may allow a remote attacker to conduct a MitM attack, downgrade a secure connection to an insecure one, cause a consumption of CPU resources, or potentially execute arbitrary code. (CVE-2015-5370)
 - A flaw exists in the implementation of NTLMSSP authentication that may allow a MitM attacker to conduct multiple attacks. This may allow the attacker to clear 'NTLMSSP_NEGOTIATE_SIGN' and 'NTLMSSP_NEGOTIATE_SEAL', take over connections, cause traffic to be sent without encryption, or potentially have other impacts. (CVE-2016-2110)
 - A flaw exists in NETLOGON that is due to the program failing to properly establish a secure channel connection. This may allow a remote MitM attacker to spoof a secure channel's endpoints' computer name and potentially obtain session information. (CVE-2016-2111)
 - A flaw exists that is due to a lack of integrity protection mechanisms. This may allow a remote MitM attacker to downgrade a secure LDAP connection to an insecure version of the connection. (CVE-2016-2112)
 - A flaw exists as TLS certificates are not properly validated for the LDAP and HTTP protocols. By spoofing the server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data. (CVE-2016-2113)
 - A flaw exists that is due to the program failing to enforce the 'server signing = mandatory' option in 'smb.conf' for clients using the SMB1 protocol. This may result in SMB signing not being properly required, potentially allowing a MitM attacker to conduct spoofing attacks. (CVE-2016-2114)
 - A flaw exists that is due to the program failing to perform integrity checks for SMB client connections. As the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection, this may allow a MitM attacker to conduct spoofing attacks. (CVE-2016-2115)

Solution

Upgrade Samba to version 4.4.2 or later. If version 4.4.x cannot be obtained, versions 4.3.8, and 4.2.11 are also patched for these issues.

See Also

https://www.samba.org/samba/security/CVE-2015-5370.html

https://www.samba.org/samba/security/CVE-2016-2110.html

https://www.samba.org/samba/security/CVE-2016-2111.html

https://www.samba.org/samba/security/CVE-2016-2112.html

https://www.samba.org/samba/security/CVE-2016-2113.html

https://www.samba.org/samba/security/CVE-2016-2114.html

https://www.samba.org/samba/security/CVE-2016-2115.html

Plugin Details

Severity: Medium

ID: 9822

Family: Samba

Published: 12/9/2016

Updated: 3/6/2019

Nessus ID: 90519

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: Medium

Base Score: 5.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:N

CVSS v3

Risk Factor: Medium

Base Score: 4.8

Temporal Score: 4.6

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Temporal Vector: CVSS:3.0/E:X/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Patch Publication Date: 4/12/2016

Vulnerability Publication Date: 4/12/2016

Reference Information

CVE: CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115

BID: 86011