[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Andrew Bartlett abartlet at samba.org
Fri Apr 15 02:52:18 UTC 2016


On Thu, 2016-04-14 at 19:33 +1200, Andrew Bartlett wrote:
> On Thu, 2016-04-14 at 09:27 +0200, Stefan Metzmacher wrote:
> > 
>> > It is only a problem with 3.6 and older, where we didn't implenent
> > the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic.
> > 
> > With that logic in place client side required signing is always
> > possible, similar to the SMB2 situation.
> > 
> > If you want to avoid changing the smb.conf for 3.6 DCs or members
> > you need to implement FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED on
> > client
> > and server.
> > 
> > I'm not sure in which Windows versions this got implemented, but
> > I guess all supported versions support
> > FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
> Thanks.  We really should push for folks running 3.6 as a DC to
> upgrade
> to 4.x as a classic DC.
> 
> That new joins fail without an smb.conf option is a reasonable nudge
> in
> that case, once we get a few cases folks can find with google.
> 
> The irony is with the backported 3.6 not being able to join itself,
> but
> that is life on the trailing edge :-)

The flip side of this (client ipc signing = yes) is causing a fair bit
of drama in Debian land.

While patching the 3.6 server is OK, I don't think that is enough, for
3.6 in debian I'm either going to change the default back to 'client
ipc signing = auto' or (more likely) just drop the patches for CVE-
2016-2115 entirely.

Because we don't have an SMB2 client, we can't rely on SMB2 always
providing smb signing.  Likewise 3.6 clients are often used with 3.6
servers (eg localhost!), with smb signing disabled.  

This was less of an issue in 4.2 because of we could use SMB2 for
DCE/RPC.

We can still backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED of
course, but we still have to work with unpatched servers.  

Protection against CVE-2016-2115 should be enforced with 'client
signing = required' and 'server signing = required' if desired by the
admin.

Comments?

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba









More information about the samba-technical mailing list