[Samba] Advice on CVE-2016-2118
Andrew Bartlett
abartlet at samba.org
Thu Apr 14 19:28:22 UTC 2016
On Thu, 2016-04-14 at 14:44 +0000, Howard, Stewart Jameson wrote:
>
>
> In the case of our services, we pass the authentication routine off
> to an Active Directory domain controller using this smb.conf option:
>
>
> security = ADS
In your situation, the impact is limited to a possible DoS (most likely
crashing of the smbd attached to the client), of winbindd if the DC was
impersonated, or possibly the persistent spoolss server for printing if
you had set:
[global]
rpc_server:spoolss = external
rpc_daemon:spoolssd = fork
You are unlikely to be running with smb singing (unless you had set
server signing = mandatory at a performance cost) so have always been
vulnerable to MitM attacks in general, leaving this one as a less
-important detail.
Patching Samba is still good to do, and we fixed a lot of important
details along the way, but the MitM attack prevention mattered
essentially entirely for those running Samba an an AD DC.
Hopefully this helps clarify things.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list