[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)
abartlet at samba.org
Fri Apr 15 06:46:23 UTC 2016
On Fri, 2016-04-15 at 07:49 +0200, Andreas Schneider wrote:
> On Friday 15 April 2016 14:52:18 Andrew Bartlett wrote:
> > The flip side of this (client ipc signing = yes) is causing a fair
> > bit
> > of drama in Debian land.
> > While patching the 3.6 server is OK, I don't think that is enough,
> > for
> > 3.6 in debian I'm either going to change the default back to
> > 'client
> > ipc signing = auto' or (more likely) just drop the patches for CVE-
> > 2016-2115 entirely.
> > Because we don't have an SMB2 client, we can't rely on SMB2 always
> > providing smb signing. Likewise 3.6 clients are often used with
> > 3.6
> > servers (eg localhost!), with smb signing disabled.
> > This was less of an issue in 4.2 because of we could use SMB2 for
> > DCE/RPC.
> > We can still backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
> > of
> > course, but we still have to work with unpatched servers.
> > Protection against CVE-2016-2115 should be enforced with 'client
> > signing = required' and 'server signing = required' if desired by
> > the
> > admin.
> > Comments?
> I think we should set 'server signing = auto' and document if you
> have issues
> with file performance, disable it which is bad for security or move
> to a newer
> Samba version.
That is a behaviour change, and we shouldn't be doing that. It was
excusable in 4.4, perhaps OK in 4.2 but shouldn't in retrospect have
been backported. I'm sorry I didn't realise the implications and so
call that out.
There is a difference between a security hole and a known, documented
but un-configured security feature.
> However we have several other regressions in 3.6 we need to fix ...
Sadly yes. I've got a number of users with issues when running
security=ads without winbindd.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT
More information about the samba-technical