sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-01 04:58:35 +03:00
Code

samba: tag release samba-4.3.11

Browse Source 
-----BEGIN PGP SIGNATURE-----
 Version: GnuPG v1
 
 iD8DBQBXe44gbzORW2Vot+oRAtdpAJ9+tV5ucw5RQ/oIvbY7+6TVIyrz2gCeJla1
 wsKR9R5mBf6vzk8bj3vHmf8=
 =AZjY
 -----END PGP SIGNATURE-----

Merge tag 'samba-4.3.11' into v4-3-test

samba: tag release samba-4.3.11
This commit is contained in:
Karolin Seeger 2016-07-07 11:23:17 +02:00
commit f4729ca169
4 changed files with 99 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
WHATSNEW.txt
View File

@ -1,3 +1,76 @@
==============================
Release Notes for Samba 4.3.11
July 07, 2016
==============================
This is a security release in order to address the following defect:
o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
=======
Details
=======
o CVE-2016-2119:
It's possible for an attacker to downgrade the required signing for
an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
or SMB2_SESSION_FLAG_IS_NULL flags.
This means that the attacker can impersonate a server being connected to by
Samba, and return malicious results.
The primary concern is with winbindd, as it uses DCERPC over SMB2 when talking
to domain controllers as a member server, and trusted domains as a domain
controller. These DCE/RPC connections were intended to protected by the
combination of "client ipc signing" and
"client ipc max protocol" in their effective default settings
("mandatory" and "SMB3_11").
Additionally, management tools like net, samba-tool and rpcclient use DCERPC
over SMB2/3 connections.
By default, other tools in Samba are unprotected, but rarely they are
configured to use smb signing, via the "client signing" parameter (the default
is "if_required"). Even more rarely the "client max protocol" is set to SMB2,
rather than the NT1 default.
If both these conditions are met, then this issue would also apply to these
other tools, including command line tools like smbcacls, smbcquota, smbclient,
smbget and applications using libsmbclient.
Changes since 4.3.10:
--------------------
o Stefan Metzmacher <metze@samba.org>
* BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
* BUG 11948: Total dcerpc response payload more than 0x400000.
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================
Release notes for older releases follow:
----------------------------------------
==============================
Release Notes for Samba 4.3.10
June 15, 2016
@ -96,8 +169,8 @@ database (https://bugzilla.samba.org/).
======================================================================
Release notes for older releases follow:
----------------------------------------
----------------------------------------------------------------------
=============================
Release Notes for Samba 4.3.9

19
libcli/smb/smbXcli_base.c
View File

@ -5313,6 +5313,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session *session)
return false;
}
if (session->conn->mandatory_signing) {
return false;
}
if (session->conn->protocol >= PROTOCOL_SMB2_02) {
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
return true;
@ -5567,7 +5571,7 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
uint16_t no_sign_flags;
uint16_t no_sign_flags = 0;
uint8_t session_key[16];
bool check_signature = true;
uint32_t hdr_flags;
@ -5592,7 +5596,18 @@ NTSTATUS smb2cli_session_set_session_key(struct smbXcli_session *session,
return NT_STATUS_INVALID_PARAMETER_MIX;
}
no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
if (!conn->mandatory_signing) {
/*
* only allow guest sessions without
* mandatory signing.
*
* If we try an authentication with username != ""
* and the server let us in without verifying the
* password we don't have a negotiated session key
* for signing.
*/
no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
}
if (session->smb2->session_flags & no_sign_flags) {
session->smb2->should_sign = false;

3
source3/libsmb/cliconnect.c
View File

@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct tevent_req *subreq)
* have a negotiated session key.
*
* So just pretend we are completely done.
*
* Note that smbXcli_session_is_guest()
* always returns false if we require signing.
*/
state->blob_in = data_blob_null;
state->local_ready = true;

4
source3/script/tests/test_smbclient_ntlm.sh
View File

@ -37,4 +37,8 @@ else
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c quit $ADDARGS
testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 --signing=required -c quit $ADDARGS
testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail" $SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 --signing=required -c quit $ADDARGS
fi