[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Stefan Metzmacher metze at samba.org
Thu Apr 14 07:27:27 UTC 2016


Am 14.04.2016 um 08:56 schrieb Andrew Bartlett:
> On Thu, 2016-04-14 at 08:35 +0200, Andreas Schneider wrote:
>> Hello,
>>
>> at least in Samba 3.6 we have 'server signing = false' as the default
>> case. 
>> With CVE-2016-2115 we have 'client ipc signing = required'. This
>> means that 
>> Samba clients which try a RPC connection to a PDC will fail because
>> the server 
>> doesn't support signing!
>>
>> Shouldn't we set 'server singing = auto' as the default for all Samba
>> versions 
>> now?
> 
> The issue historically was that some Windows clients would negotiate
> signing if it was available, and so slow performance dramatically. 
> 
> Therefore almost everywhere it was disabled, and so useless for many
> years.
> 
> I do think that the 'client ipc signing = required' in non-ADS
> situations is a challenging security/functionality tradeoff.  I think
> it should always have been required on the DC, no matter if classic or
> AD, but many classic DCs were also file servers.

It is only a problem with 3.6 and older, where we didn't implenent
the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic.

With that logic in place client side required signing is always
possible, similar to the SMB2 situation.

If you want to avoid changing the smb.conf for 3.6 DCs or members
you need to implement FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED on client
and server.

I'm not sure in which Windows versions this got implemented, but
I guess all supported versions support
FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.

metze

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: OpenPGP digital signature
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20160414/3b64e5c8/signature.sig>


More information about the samba-technical mailing list