[Samba] server signing = mandatory/required broken in 4.17.5 ?
Jens Viebig
jsurf at gmx.de
Fri Jul 7 11:01:18 UTC 2023
We are using samba on RedHat 8.8. The latest samba version available for
RHEL8 is samba 4.17.5
Since samba is updated to 4.17.5 from 4.16.4 the "server signing =
mandatory" config option seems to be broken.
Nessus scans reports a vulnerability on server signing not required:
SMB Signing not required
VULNERABILITY MEDIUM
PLUGIN ID57608
Description
Signing is not required on the remote SMB server. An unauthenticated,
remote attacker can exploit this to conduct man-in-the-middle attacks
against the SMB server.
Our smb.conf looks like this:
# See smb.conf.example for a more detailed config file or
# read the smb.conf manpage.
# Run 'testparm' to verify the config is correct after
# you modified it.
[global]
workgroup = SAMBA
security = user
passdb backend = tdbsam
server signing = mandatory
map to guest = Never
restrict anonymous = 2
[someshare]
comment = This is a share for some share
path = /var/someshare
read only = no
writable = yes
public = no
guest ok = no
guest only = no
valid users = someuser
browsable = yes
force user = someotheruser
force group = someothergroup
browseable = yes
Testing the configuration with testparm, gives this output:
testparm
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback)
Server role: ROLE_STANDALONE
Press enter to see a dump of your service definitions
# Global parameters
[global]
restrict anonymous = 2
security = USER
server signing = required
workgroup = SAMBA
idmap config * : backend = tdb
[someshare]
comment = This is a share for SDC Ingest
force group = someothergroup
force user = someotheruser
path = /var/someshare
read only = No
valid users = someuser
We also tried to change "server signing = mandatory" to "server signing =
required" in the original config without effect.
When downgrading to 4.16.4 nessus reports a clean scan, when upgrading to
4.17.5 again, the vulnerability shows up again
Is this a known issue in 4.17.5 ?
Would an upgrade to a later version help (unfortunately currently
unavailable for RHEL8) ?
Is there any known change from 4.16 to 4.17 that could explain this issue ?
Thanks
More information about the samba
mailing list