[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Andrew Bartlett abartlet at samba.org
Fri Apr 15 06:46:23 UTC 2016 

On Fri, 2016-04-15 at 07:49 +0200, Andreas Schneider wrote:
> On Friday 15 April 2016 14:52:18 Andrew Bartlett wrote:
> > 
>> > The flip side of this (client ipc signing = yes) is causing a fair
> > bit
> > of drama in Debian land.
> > 
> > While patching the 3.6 server is OK, I don't think that is enough,
> > for
> > 3.6 in debian I'm either going to change the default back to
> > 'client
> > ipc signing = auto' or (more likely) just drop the patches for CVE-
> > 2016-2115 entirely.
> > 
> > Because we don't have an SMB2 client, we can't rely on SMB2 always
> > providing smb signing.  Likewise 3.6 clients are often used with
> > 3.6
> > servers (eg localhost!), with smb signing disabled.  
> > 
> > This was less of an issue in 4.2 because of we could use SMB2 for
> > DCE/RPC.
> > 
> > We can still backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
> > of
> > course, but we still have to work with unpatched servers.  
> > 
> > Protection against CVE-2016-2115 should be enforced with 'client
> > signing = required' and 'server signing = required' if desired by
> > the
> > admin.
> > 
> > Comments?
> I think we should set 'server signing = auto' and document if you
> have issues 
> with file performance, disable it which is bad for security or move
> to a newer 
> Samba version.

That is a behaviour change, and we shouldn't be doing that.  It was
excusable in 4.4, perhaps OK in 4.2 but shouldn't in retrospect have
been backported.  I'm sorry I didn't realise the implications and so
call that out.

There is a difference between a security hole and a known, documented
but un-configured security feature. 

> However we have several other regressions in 3.6 we need to fix ...

Sadly yes.  I've got a number of users with issues when running
security=ads without winbindd.

Andrew Bartlett


-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

More information about the samba-technical mailing list