CVE-2016-2118: samba:SAMR and LSA man in the middle attacks possible (aka "BADLOCK")
This document (7017473) is provided subject to the disclaimer at the end of this document.
Environment
SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12 GA)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)
Expanded Support 4 (RES4)
Expanded Support 5 (RES5)
Expanded Support 6 (RES6)
Expanded Support 7 (RES7)
SUSE Linux Enterprise Server 12 (SLES 12 GA)
SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)
Expanded Support 4 (RES4)
Expanded Support 5 (RES5)
Expanded Support 6 (RES6)
Expanded Support 7 (RES7)
Situation
The Security Account Manager Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.
These protocols are typically available on all Windows installations as well as every Samba server. They are use to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member and domain controller.
More information on this can be found at:
Samba.org Latest News
which gives details about the following related CVE's:
These protocols are typically available on all Windows installations as well as every Samba server. They are use to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member and domain controller.
More information on this can be found at:
Samba.org Latest News
which gives details about the following related CVE's:
Resolution
The following patches have been released by SUSE:
SLES 12 SP1Released on the 12th of April 2016:SLES 12
libdcerpc-binding0-32bit-4.2.4-16.1
libdcerpc-binding0-4.2.4-16.1
libdcerpc0-32bit-4.2.4-16.1
libdcerpc0-4.2.4-16.1
libgensec0-32bit-4.2.4-16.1
libgensec0-4.2.4-16.1
libndr-krb5pac0-32bit-4.2.4-16.1
libndr-krb5pac0-4.2.4-16.1
libndr-nbt0-32bit-4.2.4-16.1
libndr-nbt0-4.2.4-16.1
libndr-standard0-32bit-4.2.4-16.1
libndr-standard0-4.2.4-16.1
libndr0-32bit-4.2.4-16.1
libndr0-4.2.4-16.1
libnetapi0-32bit-4.2.4-16.1
libnetapi0-4.2.4-16.1
libregistry0-4.2.4-16.1
libsamba-credentials0-32bit-4.2.4-16.1
libsamba-credentials0-4.2.4-16.1
libsamba-hostconfig0-32bit-4.2.4-16.1
libsamba-hostconfig0-4.2.4-16.1
libsamba-passdb0-32bit-4.2.4-16.1
libsamba-passdb0-4.2.4-16.1
libsamba-util0-32bit-4.2.4-16.1
libsamba-util0-4.2.4-16.1
libsamdb0-32bit-4.2.4-16.1
libsamdb0-4.2.4-16.1
libsmbclient-raw0-32bit-4.2.4-16.1
libsmbclient-raw0-4.2.4-16.1
libsmbclient0-32bit-4.2.4-16.1
libsmbclient0-4.2.4-16.1
libsmbconf0-32bit-4.2.4-16.1
libsmbconf0-4.2.4-16.1
libsmbldap0-32bit-4.2.4-16.1
libsmbldap0-4.2.4-16.1
libtevent-util0-32bit-4.2.4-16.1
libtevent-util0-4.2.4-16.1
libwbclient0-32bit-4.2.4-16.1
libwbclient0-4.2.4-16.1
samba-32bit-4.2.4-16.1
samba-4.2.4-16.1
samba-client-32bit-4.2.4-16.1
samba-client-4.2.4-16.1
samba-debugsource-4.2.4-16.1
samba-doc-4.2.4-16.1
samba-libs-32bit-4.2.4-16.1
samba-libs-4.2.4-16.1
samba-winbind-32bit-4.2.4-16.1
samba-winbind-4.2.4-16.1Released on the 12th of April 2016:SLES 11 SP4 & SLES 11 SP3 LTSS
libdcerpc-binding0-32bit-4.2.4-18.17.1
libdcerpc-binding0-4.2.4-18.17.1
libdcerpc0-32bit-4.2.4-18.17.1
libdcerpc0-4.2.4-18.17.1
libgensec0-32bit-4.2.4-18.17.1
libgensec0-4.2.4-18.17.1
libndr-krb5pac0-32bit-4.2.4-18.17.1
libndr-krb5pac0-4.2.4-18.17.1
libndr-nbt0-32bit-4.2.4-18.17.1
libndr-nbt0-4.2.4-18.17.1
libndr-standard0-32bit-4.2.4-18.17.1
libndr-standard0-4.2.4-18.17.1
libndr0-32bit-4.2.4-18.17.1
libndr0-4.2.4-18.17.1
libnetapi0-32bit-4.2.4-18.17.1
libnetapi0-4.2.4-18.17.1
libregistry0-4.2.4-18.17.1
libsamba-credentials0-32bit-4.2.4-18.17.1
libsamba-credentials0-4.2.4-18.17.1
libsamba-hostconfig0-32bit-4.2.4-18.17.1
libsamba-hostconfig0-4.2.4-18.17.1
libsamba-passdb0-32bit-4.2.4-18.17.1
libsamba-passdb0-4.2.4-18.17.1
libsamba-util0-32bit-4.2.4-18.17.1
libsamba-util0-4.2.4-18.17.1
libsamdb0-32bit-4.2.4-18.17.1
libsamdb0-4.2.4-18.17.1
libsmbclient-raw0-32bit-4.2.4-18.17.1
libsmbclient-raw0-4.2.4-18.17.1
libsmbclient0-32bit-4.2.4-18.17.1
libsmbclient0-4.2.4-18.17.1
libsmbconf0-32bit-4.2.4-18.17.1
libsmbconf0-4.2.4-18.17.1
libsmbldap0-32bit-4.2.4-18.17.1
libsmbldap0-4.2.4-18.17.1
libtevent-util0-32bit-4.2.4-18.17.1
libtevent-util0-4.2.4-18.17.1
libwbclient0-32bit-4.2.4-18.17.1
libwbclient0-4.2.4-18.17.1
samba-32bit-4.2.4-18.17.1
samba-4.2.4-18.17.1
samba-client-32bit-4.2.4-18.17.1
samba-client-4.2.4-18.17.1
samba-debugsource-4.2.4-18.17.1
samba-doc-4.2.4-18.17.1
samba-libs-32bit-4.2.4-18.17.1
samba-libs-4.2.4-18.17.1
samba-winbind-32bit-4.2.4-18.17.1
samba-winbind-4.2.4-18.17.1Released on the 12th of April 2016:SLES 11 SP2 LTSS
ldapsmb-1.34b-76.1
libldb1-3.6.3-76.1
libsmbclient0-3.6.3-76.1
libsmbclient0-32bit-3.6.3-76.1
libtalloc2-3.6.3-76.1
libtalloc2-32bit-3.6.3-76.1
libtdb1-3.6.3-76.1
libtdb1-32bit-3.6.3-76.1
libtevent0-3.6.3-76.1
libtevent0-32bit-3.6.3-76.1
libwbclient0-3.6.3-76.1
libwbclient0-32bit-3.6.3-76.1
samba-3.6.3-76.1.src.rpm
samba-3.6.3-76.1
samba-32bit-3.6.3-76.1
samba-client-3.6.3-76.1
samba-client-32bit-3.6.3-76.1
samba-doc-3.6.3-76.2
samba-krb-printing-3.6.3-76.1
samba-winbind-3.6.3-76.1
samba-winbind-32bit-3.6.3-76.1Released on the 13th of April 2016:
ldapsmb-1.34b-52.1
libldb1-3.6.3-52.1
libsmbclient0-3.6.3-52.1
libsmbclient0-32bit-3.6.3-52.1
libtalloc2-3.6.3-52.1
libtalloc2-32bit-3.6.3-52.1
libtdb1-3.6.3-52.1
libtdb1-32bit-3.6.3-52.1
libtevent0-3.6.3-52.1
libtevent0-32bit-3.6.3-52.1
libwbclient0-3.6.3-52.1
libwbclient0-32bit-3.6.3-52.1
samba-3.6.3-52.1.src.rpm
samba-3.6.3-52.1
samba-32bit-3.6.3-52.1
samba-client-3.6.3-52.1
samba-client-32bit-3.6.3-52.1
samba-doc-3.6.3-52.1
samba-krb-printing-3.6.3-52.1
samba-winbind-3.6.3-52.1
samba-winbind-32bit-3.6.3-52.1Expanded Support 4 (RES4)
- Patches have been released on the 14th of April 2016
- Samba 3.0.33
Expanded Support 5 (RES5)
- Patches have been released on the 14th of April 2016
- Samba 3.0.33
Expanded Support 6 (RES6)
- Patches have been released on the 14th of April 2016
- Samba 3.6.23
Expanded Support 7 (RES7)
To be safe from this vulnerability you have to patch your systems to the above mentioned versions.
- Patches have been released on the 14th of April 2016
- Samba 4.2.3
Cause
Additional Information
These releases fix multiple security vulnerabilities in the software and change the default behaviour for some protocols.
The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.
More information on this can be found at:
Samba.org Latest News
which gives details about the following related CVE's:
CVE-2016-2118
CVE-2016-2115
CVE-2016-2113
CVE-2016-2112
CVE-2016-2111
CVE-2016-2110
CVE-2015-5370
The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.
- Man in the middle (MITM) attacks
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrarySamba network calls using the context of the intercepted user.
Impact example of intercepting administrator network traffic:
* Samba file server - modify user permissions on files or directories.
To execute a man in the middle attack requires an attacker to manipulate network traffic in the local network segment of the client or server.
Mitigations:
etwork protections that could be used MITM attacks include DHCPsnooping, ARP Inspection and 802.1x.
Suggested further improvements after patching:
It is recomended that administrators set these additional options, if compatible with their network environment:
- server signing = required
- ntlm auth = no
Without server signing = required, Man in the Middle attacks are still possible against our file server and Domain controller.
Without 'ntlm auth = no', there may still be clients not using NTLMv2, and these observed passwords may be brute-forced easilyusing cloud-computing resources or rainbow tables.
- Denial of Service (DoS)
Samba services are vulnerable to a denial of service from an attackerwith remote network connectivity to the Samba service.
Mitigation:
Apply firewall rules on the server to permit connectivity only from trusted addresses.
Will encryption protect against these attacks?
The SMB protocol, by default, only encrypts credentials and commandswhile files are transferred in plaintext. It is recommended that insecurity / privacy sensitive scenarios encryption is used to protectall communications.
Samba added encryption in version 3.2 in 2008 but only to Samba clients. Microsoft added SMB encryption support to SMB 3.0 in Windows 8 and Windows Server 2012. However, both of these types of encryptiononly protect communications, such a file transfers, after SMB negotiation and commands have been completed. It is this phase thatcontains the fixed vulnerabilities.
Samba/SMB encryption is good practice but is not sufficient for protection against these vulnerabilities. Network-level encryption, such as IPSec, is required for full protection as a workaround.
More information on this can be found at:
Samba.org Latest News
which gives details about the following related CVE's:
CVE-2016-2118
CVE-2016-2115
CVE-2016-2113
CVE-2016-2112
CVE-2016-2111
CVE-2016-2110
CVE-2015-5370
Disclaimer
This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.
- Document ID:7017473
- Creation Date: 07-Apr-2016
- Modified Date:03-Mar-2020
-
- SUSE Linux Enterprise Desktop
- SUSE Linux Enterprise Server
For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback[at]suse.com
