Samba 3.x < 4.2.10 / 4.2.x < 4.2.10 / 4.3.x < 4.3.7 / 4.4.x < 4.4.1 Multiple Vulnerabilities (Badlock)

high Nessus Plugin ID 90508

Synopsis

The remote Samba server is affected by multiple vulnerabilities.

Description

The version of Samba running on the remote host is 3.x or 4.2.x prior to 4.2.10, 4.3.x prior to 4.3.7, or 4.4.x prior to 4.4.1. It is, therefore, affected by multiple vulnerabilities :

- A flaw exists in the DCE-RPC client when handling specially crafted DCE-RPC packets. A man-in-the-middle (MitM) attacker can exploit this to downgrade the connection security, cause a denial of service through resource exhaustion, or potentially execute arbitrary code. (CVE-2015-5370)

- A flaw exists in the implementation of NTLMSSP authentication. A MitM attacker can exploit this to clear the NTLMSSP_NEGOTIATE_SIGN and NTLMSSP_NEGOTIATE_SEAL settings, take over the connections, cause traffic to be sent unencrypted, or have other unspecified impact. (CVE-2016-2110)

- A flaw exists in NETLOGON due to a failure to properly establish a secure channel connection. A MitM attacker can exploit this to spoof the computer names of a secure channel's endpoints, potentially gaining session information. (CVE-2016-2111)

- A flaw exists in the integrity protection mechanisms that allows a MitM attacker to downgrade a secure LDAP connection to an insecure version. (CVE-2016-2112)

- A flaw exists due to improper validation of TLS certificates for the LDAP and HTTP protocols. A MitM attacker can exploit this, via a crafted certificate, to spoof a server, resulting in the disclosure or manipulation of the transmitted traffic. (CVE-2016-2113)

- A flaw exists due to a failure to enforce the 'server signing = mandatory' option in smb.conf for clients using the SMB1 protocol. A MitM attacker can exploit this to conduct spoofing attacks.
(CVE-2016-2114)

- A flaw exists due to a failure to perform integrity checking for SMB client connections. A MitM attacker can exploit this to conduct spoofing attacks since the protection mechanisms for DCERPC communication sessions are inherited from the underlying SMB connection.
(CVE-2016-2115)

- A flaw, known as Badlock, exists in the Security Account Manager (SAM) and Local Security Authority (Domain Policy) (LSAD) protocols due to improper authentication level negotiation over Remote Procedure Call (RPC) channels. A MitM attacker who is able to able to intercept the traffic between a client and a server hosting a SAM database can exploit this flaw to force a downgrade of the authentication level, which allows the execution of arbitrary Samba network calls in the context of the intercepted user, such as viewing or modifying sensitive security data in the Active Directory (AD) database or disabling critical services.
(CVE-2016-2118)

Solution

Upgrade to Samba version 4.2.10 / 4.3.7 / 4.4.1 or later.

See Also

https://www.samba.org/samba/security/CVE-2015-5370.html

https://www.samba.org/samba/security/CVE-2016-2110.html

https://www.samba.org/samba/security/CVE-2016-2111.html

https://www.samba.org/samba/security/CVE-2016-2112.html

https://www.samba.org/samba/security/CVE-2016-2113.html

https://www.samba.org/samba/security/CVE-2016-2114.html

https://www.samba.org/samba/security/CVE-2016-2115.html

https://www.samba.org/samba/security/CVE-2016-2118.html

https://www.samba.org/samba/history/samba-4.2.10.html

https://www.samba.org/samba/history/samba-4.3.7.html

https://www.samba.org/samba/history/samba-4.4.1.html

http://badlock.org

Plugin Details

Severity: High

ID: 90508

File Name: samba_4_3_7.nasl

Version: 1.13

Type: remote

Family: Misc.

Published: 4/13/2016

Updated: 11/20/2019

Configuration: Enable paranoid mode

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 6.7

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS Score Source: CVE-2016-2118

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:samba:samba

Required KB Items: SMB/NativeLanManager, SMB/samba, Settings/ParanoidReport

Exploit Ease: No known exploits are available

Patch Publication Date: 4/12/2016

Vulnerability Publication Date: 3/23/2016

Reference Information

CVE: CVE-2015-5370, CVE-2016-2110, CVE-2016-2111, CVE-2016-2112, CVE-2016-2113, CVE-2016-2114, CVE-2016-2115, CVE-2016-2118

BID: 86002

CERT: 813296