[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Andreas Schneider asn at samba.org
Fri Apr 15 05:49:00 UTC 2016 

On Friday 15 April 2016 14:52:18 Andrew Bartlett wrote:
> On Thu, 2016-04-14 at 19:33 +1200, Andrew Bartlett wrote:
> > On Thu, 2016-04-14 at 09:27 +0200, Stefan Metzmacher wrote:
> > > 
> > >
> > > It is only a problem with 3.6 and older, where we didn't implenent
> > > the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED logic.
> > > 
> > > With that logic in place client side required signing is always
> > > possible, similar to the SMB2 situation.
> > > 
> > > If you want to avoid changing the smb.conf for 3.6 DCs or members
> > > you need to implement FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED on
> > > client
> > > and server.
> > > 
> > > I'm not sure in which Windows versions this got implemented, but
> > > I guess all supported versions support
> > > FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED.
> > 
> > Thanks.  We really should push for folks running 3.6 as a DC to
> > upgrade
> > to 4.x as a classic DC.
> > 
> > That new joins fail without an smb.conf option is a reasonable nudge
> > in
> > that case, once we get a few cases folks can find with google.
> > 
> > The irony is with the backported 3.6 not being able to join itself,
> > but
> > that is life on the trailing edge :-)
> 
> The flip side of this (client ipc signing = yes) is causing a fair bit
> of drama in Debian land.
> 
> While patching the 3.6 server is OK, I don't think that is enough, for
> 3.6 in debian I'm either going to change the default back to 'client
> ipc signing = auto' or (more likely) just drop the patches for CVE-
> 2016-2115 entirely.
> 
> Because we don't have an SMB2 client, we can't rely on SMB2 always
> providing smb signing.  Likewise 3.6 clients are often used with 3.6
> servers (eg localhost!), with smb signing disabled.  
> 
> This was less of an issue in 4.2 because of we could use SMB2 for
> DCE/RPC.
> 
> We can still backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED of
> course, but we still have to work with unpatched servers.  
> 
> Protection against CVE-2016-2115 should be enforced with 'client
> signing = required' and 'server signing = required' if desired by the
> admin.
> 
> Comments?

I think we should set 'server signing = auto' and document if you have issues 
with file performance, disable it which is bad for security or move to a newer 
Samba version.

However we have several other regressions in 3.6 we need to fix ...


	-- andreas

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org

More information about the samba-technical mailing list