Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)

This script is Copyright (C) 2016 Tenable Network Security, Inc.


Synopsis :

The remote Samba server is affected by multiple vulnerabilities.

Description :

The version of Samba running on the remote host is 3.x or 4.2.x prior
to 4.2.10, 4.3.x prior to 4.3.7, or 4.4.x prior to 4.4.1. It is,
therefore, affected by multiple vulnerabilities :

- A flaw exists in the DCE-RPC client when handling
specially crafted DCE-RPC packets. A man-in-the-middle
(MitM) attacker can exploit this to downgrade the
connection security, cause a denial of service through
resource exhaustion, or potentially execute arbitrary
code. (CVE-2015-5370)

- A flaw exists in the implementation of NTLMSSP
authentication. A MitM attacker can exploit this to
clear the NTLMSSP_NEGOTIATE_SIGN and
NTLMSSP_NEGOTIATE_SEAL settings, take over the
connections, cause traffic to be sent unencrypted, or
have other unspecified impact. (CVE-2016-2110)

- A flaw exists in NETLOGON due to a failure to properly
establish a secure channel connection. A MitM attacker
can exploit this to spoof the computer names of a secure
channel's endpoints, potentially gaining session
information. (CVE-2016-2111)

- A flaw exists in the integrity protection mechanisms
that allows a MitM attacker to downgrade a secure LDAP
connection to an insecure version. (CVE-2016-2112)

- A flaw exists due to improper validation of TLS
certificates for the LDAP and HTTP protocols. A MitM
attacker can exploit this, via a crafted certificate,
to spoof a server, resulting in the disclosure or
manipulation of the transmitted traffic. (CVE-2016-2113)

- A flaw exists due to a failure to enforce the
'server signing = mandatory' option in smb.conf for
clients using the SMB1 protocol. A MitM attacker can
exploit this to conduct spoofing attacks.
(CVE-2016-2114)

- A flaw exists due to a failure to perform integrity
checking for SMB client connections. A MitM attacker can
exploit this to conduct spoofing attacks since the
protection mechanisms for DCERPC communication sessions
are inherited from the underlying SMB connection.
(CVE-2016-2115)

- A flaw, known as Badlock, exists in the Security Account
Manager (SAM) and Local Security Authority
(Domain Policy) (LSAD) protocols due to improper
authentication level negotiation over Remote Procedure
Call (RPC) channels. A MitM attacker who is able to able
to intercept the traffic between a client and a server
hosting a SAM database can exploit this flaw to force a
downgrade of the authentication level, which allows the
execution of arbitrary Samba network calls in the
context of the intercepted user, such as viewing or
modifying sensitive security data in the Active
Directory (AD) database or disabling critical services.
(CVE-2016-2118)

See also :

https://www.samba.org/samba/security/CVE-2015-5370.html
https://www.samba.org/samba/security/CVE-2016-2110.html
https://www.samba.org/samba/security/CVE-2016-2111.html
https://www.samba.org/samba/security/CVE-2016-2112.html
https://www.samba.org/samba/security/CVE-2016-2113.html
https://www.samba.org/samba/security/CVE-2016-2114.html
https://www.samba.org/samba/security/CVE-2016-2115.html
https://www.samba.org/samba/security/CVE-2016-2118.html
http://www.samba.org/samba/history/samba-4.2.10.html
http://www.samba.org/samba/history/samba-4.3.7.html
http://www.samba.org/samba/history/samba-4.4.1.html
http://badlock.org

Solution :

Upgrade to Samba version 4.2.10 / 4.3.7 / 4.4.1 or later.

Risk factor :

Critical / CVSS Base Score : 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:U/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now