[Samba] Advice on CVE-2016-2118

Andrew Bartlett abartlet at samba.org
Thu Apr 14 19:28:22 UTC 2016

On Thu, 2016-04-14 at 14:44 +0000, Howard, Stewart Jameson wrote:
> In the case of our services, we pass the authentication routine off
> to an Active Directory domain controller using this smb.conf option:
>     security                            = ADS

In your situation, the impact is limited to a possible DoS (most likely
crashing of the smbd attached to the client), of winbindd if the DC was
impersonated, or possibly the persistent spoolss server for printing if
you had set:

 rpc_server:spoolss = external
 rpc_daemon:spoolssd = fork

You are unlikely to be running with smb singing (unless you had set
server signing = mandatory at a performance cost) so have always been
vulnerable to MitM attacks in general, leaving this one as a less
-important detail.

Patching Samba is still good to do, and we fixed a lot of important
details along the way, but the MitM attack prevention mattered
essentially entirely for those running Samba an an AD DC.

Hopefully this helps clarify things.  

Andrew Bartlett

Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba mailing list