[REGRESSION] sever signing = default (false) for smbd (with CVE-2016-2115)

Fri Apr 15 07:17:06 UTC 2016

On Friday 15 April 2016 18:46:23 Andrew Bartlett wrote:
> On Fri, 2016-04-15 at 07:49 +0200, Andreas Schneider wrote:
> > On Friday 15 April 2016 14:52:18 Andrew Bartlett wrote:
> > > 
> > >
> > > The flip side of this (client ipc signing = yes) is causing a fair
> > > bit
> > > of drama in Debian land.
> > > 
> > > While patching the 3.6 server is OK, I don't think that is enough,
> > > for
> > > 3.6 in debian I'm either going to change the default back to
> > > 'client
> > > ipc signing = auto' or (more likely) just drop the patches for CVE-
> > > 2016-2115 entirely.
> > > 
> > > Because we don't have an SMB2 client, we can't rely on SMB2 always
> > > providing smb signing.  Likewise 3.6 clients are often used with
> > > 3.6
> > > servers (eg localhost!), with smb signing disabled.  
> > > 
> > > This was less of an issue in 4.2 because of we could use SMB2 for
> > > DCE/RPC.
> > > 
> > > We can still backport the FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED
> > > of
> > > course, but we still have to work with unpatched servers.  
> > > 
> > > Protection against CVE-2016-2115 should be enforced with 'client
> > > signing = required' and 'server signing = required' if desired by
> > > the
> > > admin.
> > > 
> > > Comments?
> > 
> > I think we should set 'server signing = auto' and document if you
> > have issues 
> > with file performance, disable it which is bad for security or move
> > to a newer 
> > Samba version.
> 
> That is a behaviour change, and we shouldn't be doing that.  It was
> excusable in 4.4, perhaps OK in 4.2 but shouldn't in retrospect have
> been backported.  I'm sorry I didn't realise the implications and so
> call that out.
> 
> There is a difference between a security hole and a known, documented
> but un-configured security feature. 
> 
> > However we have several other regressions in 3.6 we need to fix ...
> 
> Sadly yes.  I've got a number of users with issues when running
> security=ads without winbindd.

Yes, auth_domain does a rpccli_netlogon_sam_network_logon(), the 
netlogon_creds_client_check() after a successful LogonSamLogon fails.

-- 
Andreas Schneider                   GPG-ID: CC014E3D
Samba Team                             asn at samba.org
www.samba.org