Badlock: Samba Vulns & Patching your machines

Hello again folks,

Unless you are living in a black hole aka SCIF, or otherwise totally disconnected from various news outlets, you have likely heard about the numerous vulns that dropped as a series of CVEs better known as  ‘badlock’ Tuesday. Well, there is good news for those on Redhat based distros! Patches are already in the default repos for Fedora / RHEL / CentOS.

So  a  quick  layman’s rundown and then on to how to patch / update:  (hyperlinks direct to the respective Red Hat Access Customer Portal advisories), below are  tl;dr  briefs of each vulnerability.

For those desiring the more technical read:  Badlock: Red Hat Security Announcement

CVE-2015-5370

Multiple flaws were found in Samba’s DCE/RPC protocol implementation in which a condition was created where a remote, authenticated attacker could cause a denial of service against the Samba server (high CPU load or a crash) or, possibly, execute arbitrary code with the permissions of the user running Samba (root). This flaw could also be used to downgrade a secure DCE/RPC connection by a man-in-the-middle (MITM) attacker taking control of an Active Directory (AD) object and compromising the security of a Samba Active Directory Domain Controller (DC).

CVE-2016-2110

Several flaws were found in Samba’s implementation of NTLMSSP authentication. An unauthenticated, man-in-the-middle attacker could use this flaw to clear the encryption and integrity flags of a connection, causing data to be transmitted in plain text. The attacker could also force the client or server into sending data in plain text even if encryption was explicitly requested for that connection.

LDAP (with NTLMSSP authentication) is used as a client by various administrative Samba project tools (for example, “net”, “samba-tool”, “ldbsearch”, or “ldbedit”).

CVE-2016-2111

It was discovered that Samba configured as a Domain Controller (DC) would establish a secure communication channel with a machine using a spoofed computer name (aka rogue machine). A remote attacker would then in this  scenario be able to observe network traffic to obtain session-related information about the spoofed machine.

This flaw only affects Samba running as a classic primary DC, backup DC, or Active Directory DC.

CVE-2016-2112

It was found that Samba’s LDAP implementation did not enforce integrity protection for LDAP connections. A man-in-the-middle (MITM) attacker could use this flaw to downgrade LDAP connections to use no integrity protection, allowing them to hijack such connections.

This flaw affects all possible roles Samba can operate in.

The security advisory patch for this flaw introduces a new smb.conf option: smb.conf

Note: The LDAP server does not have an option to enforce strong 
authentication yet. The security patches mentioned herein introduce a new 
option called ldap_server_require_strong_auth, possible values of which are
 no, allow_sasl_over_tls and yes.

As the default behavior was set to no before, you may have to explicitly change this option until all clients have been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors. Windows clients and Samba member servers already use integrity protection.

CVE-2016-2113

It was found that Samba did not validate SSL/TLS certificates in certain connections. A man-in-the-middle attacker could use this flaw to spoof a Samba server using a specially crafted SSL/TLS certificate. (like the one  made famous recently  known as ‘Drown‘)

This flaw affects all possible roles Samba can operate in.

The security advisory patch for this flaw introduces a new smb.conf option: smb.conf

CVE-2016-2114

It was discovered that Samba did not enforce Server Message Block (SMB) signing for clients using the SMB1 protocol. A man-in-the-middle attacker could use this flaw to modify traffic between a client and a server.

This flaw affects the following server roles: standalone server, member server, classic primary DC, backup DC, and Active Directory DC. Samba server roles

Mitigation:

An explicit server signing = mandatory configuration option in the [global] section of the smb.conf file together with server min protocol = SMB2, should prevent connections without signing protection. However, this may cause older clients without support for SMB2 (or higher) to not be able to connect.

Patched versions are in default repos: 

4.4.2 (in f24), 4.3.8 (in f23) and 4.2.11 (in f22)

CVE-2016-2115

It was found that Samba did not enable integrity protection for IPC traffic by default. A man-in-the-middle attacker could use this flaw to view and modify the data sent between a Samba server and a client. (Very similar to 2016-2114 but  via  a different  packet  modification vector)

The security advisory patch for this flaw introduces several new smb.conf options: smb.conf

Mitigation:

An explicit client signing = mandatory configuration option in the [global] section of the smb.conf file.

This flaw affects all possible roles Samba can operate in.

Patched versions are in default repos: 

4.4.2 (in f24), 4.3.8 (in f23) and 4.2.11 (in f22)

CVE-2016-2118

DCE/RPC is the specification for a remote procedure call mechanism that defines both APIs and an over-the-network protocol. The Security Account Manager (SAM) Remote Protocol (Client-to-Server) provides management functionality for an account store or directory containing users and groups. The protocol exposes the “account database” for both local and remote Microsoft Active Directory domains. The Local Security Authority (Domain Policy) Remote Protocol is used to manage various machine and domain security policies. This protocol, with minor exceptions, enables remote policy-management scenarios. Both SAMR ( security Account Manager –Remote) and LSA (Local Security Authority) protocols are based on the DCE 1.1 RPC protocol.
These protocols are typically available to all Windows installations, as well as every Samba server. They are used to maintain the Security Account Manager database. This applies to all roles (for example, standalone, domain controller, or domain member).

PATCH TIME:


Fedora 22
sudo yum update samba
Fedora 23 / 24 Alpha
sudo dnf update samba
Centos 6 / 7:
 sudo yum update samba
 
Advertisements

One thought on “Badlock: Samba Vulns & Patching your machines”

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s