[SCM] Samba Shared Repository - branch v4-4-test updated
Karolin Seeger
kseeger at samba.org
Thu Jul 7 09:22:57 UTC 2016
The branch, v4-4-test has been updated
via bc776bc Merge tag 'samba-4.4.5' into v4-4-test
via fb3e629 VERSION: Disable git snapshots for the 4.4.5 release.
via a1a715f WHATSNEW: Add release notes for Samba 4.4.5.
via f7e1a59 CVE-2016-2019: s3:selftest: add regression tests for guest logins and mandatory signing
via 94295b7 CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest() with mandatory signing
via 46b5e4a CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
via a9a1ec7 dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
via eb09411 s4:rpc_server: use a variable for the max total reassembled request payload
via cba64f2 s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
via 203c0a5 dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
via 3eb3214 VERSION: Bump version up to 4.4.5...
from a2353be s3-winbind: Fix memory leak with each cached credential login
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-4-test
- Log -----------------------------------------------------------------
commit bc776bc4b4299c270edea03a091afd086ac16d7d
Merge: a2353be fb3e629
Author: Karolin Seeger <kseeger at samba.org>
Date: Thu Jul 7 11:22:37 2016 +0200
Merge tag 'samba-4.4.5' into v4-4-test
samba: tag release samba-4.4.5
-----------------------------------------------------------------------
Summary of changes:
WHATSNEW.txt | 77 ++++++++++++++++++++++++++++-
libcli/smb/smbXcli_base.c | 19 ++++++-
source3/libsmb/cliconnect.c | 3 ++
source3/script/tests/test_smbclient_ntlm.sh | 4 ++
4 files changed, 99 insertions(+), 4 deletions(-)
Changeset truncated at 500 lines:
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index ca3c325..0e2de46 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,77 @@
=============================
+ Release Notes for Samba 4.4.5
+ July 7, 2016
+ =============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the default
+ is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota, smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.4.4:
+--------------------
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ =============================
Release Notes for Samba 4.4.4
June 7, 2016
=============================
@@ -108,8 +181,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.4.3
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 4332374..691b8ff 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5312,6 +5312,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
return false;
}
+ if (session->conn->mandatory_signing) {
+ return false;
+ }
+
if (session->conn->protocol >= PROTOCOL_SMB2_02) {
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
return true;
@@ -5571,7 +5575,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
- uint16_t no_sign_flags;
+ uint16_t no_sign_flags = 0;
uint8_t session_key[16];
bool check_signature = true;
uint32_t hdr_flags;
@@ -5596,7 +5600,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
+ if (!conn->mandatory_signing) {
+ /*
+ * only allow guest sessions without
+ * mandatory signing.
+ *
+ * If we try an authentication with username != ""
+ * and the server let us in without verifying the
+ * password we don't have a negotiated session key
+ * for signing.
+ */
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
+ }
if (session->smb2->session_flags & no_sign_flags) {
session->smb2->should_sign = false;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ea92c8f..ebba8f2 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
* have a negotiated session key.
*
* So just pretend we are completely done.
+ *
+ * Note that smbXcli_session_is_guest()
+ * always returns false if we require signing.
*/
state->blob_in = data_blob_null;
state->local_ready = true;
diff --git a/source3/script/tests/test_smbclient_ntlm.sh b/source3/script/tests/test_smbclient_ntlm.sh
index b8fc564..33a927f 100755
--- a/source3/script/tests/test_smbclient_ntlm.sh
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -37,4 +37,8 @@ else
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
fi
--
Samba Shared Repository
More information about the samba-cvs
mailing list