CVE-2016-2118: samba:SAMR and LSA man in the middle attacks possible (aka "BADLOCK")

This document (7017473) is provided subject to the disclaimer at the end of this document.

Environment

SUSE Linux Enterprise Server 12 Service Pack 1 (SLES 12 SP1)
SUSE Linux Enterprise Server 12 (SLES 12 GA)

SUSE Linux Enterprise Server 11 Service Pack 4 (SLES 11 SP4)
SUSE Linux Enterprise Server 11 Service Pack 3 LTSS (SLES 11 SP3 LTSS)
SUSE Linux Enterprise Server 11 Service Pack 2 LTSS (SLES 11 SP2 LTSS)

Expanded Support 4 (RES4)
Expanded Support 5 (RES5)
Expanded Support 6 (RES6)
Expanded Support 7 (RES7)

Situation

The Security Account Manager Protocol (MS-SAMR) and the Local Security Authority (Domain Policy) Remote Protocol (MS-LSAD) are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call (DCERPC) protocol.

These protocols are typically available on all Windows installations as well as every Samba server. They are use to maintain the Security Account Manager Database. This applies to all roles, e.g. standalone, domain member and domain controller.

More information on this can be found at:

    Samba.org Latest News

which gives details about the following related CVE's:

Resolution

The following patches have been released by SUSE:
SLES 12 SP1
Released on the 12th of April 2016:
 libdcerpc-binding0-32bit-4.2.4-16.1
 libdcerpc-binding0-4.2.4-16.1
 libdcerpc0-32bit-4.2.4-16.1
 libdcerpc0-4.2.4-16.1
 libgensec0-32bit-4.2.4-16.1
 libgensec0-4.2.4-16.1
 libndr-krb5pac0-32bit-4.2.4-16.1
 libndr-krb5pac0-4.2.4-16.1
 libndr-nbt0-32bit-4.2.4-16.1
 libndr-nbt0-4.2.4-16.1
 libndr-standard0-32bit-4.2.4-16.1
 libndr-standard0-4.2.4-16.1
 libndr0-32bit-4.2.4-16.1
 libndr0-4.2.4-16.1
 libnetapi0-32bit-4.2.4-16.1
 libnetapi0-4.2.4-16.1
 libregistry0-4.2.4-16.1
 libsamba-credentials0-32bit-4.2.4-16.1
 libsamba-credentials0-4.2.4-16.1
 libsamba-hostconfig0-32bit-4.2.4-16.1
 libsamba-hostconfig0-4.2.4-16.1
 libsamba-passdb0-32bit-4.2.4-16.1
 libsamba-passdb0-4.2.4-16.1
 libsamba-util0-32bit-4.2.4-16.1
 libsamba-util0-4.2.4-16.1
 libsamdb0-32bit-4.2.4-16.1
 libsamdb0-4.2.4-16.1
 libsmbclient-raw0-32bit-4.2.4-16.1
 libsmbclient-raw0-4.2.4-16.1
 libsmbclient0-32bit-4.2.4-16.1
 libsmbclient0-4.2.4-16.1
 libsmbconf0-32bit-4.2.4-16.1
 libsmbconf0-4.2.4-16.1
 libsmbldap0-32bit-4.2.4-16.1
 libsmbldap0-4.2.4-16.1
 libtevent-util0-32bit-4.2.4-16.1
 libtevent-util0-4.2.4-16.1
 libwbclient0-32bit-4.2.4-16.1
 libwbclient0-4.2.4-16.1
 samba-32bit-4.2.4-16.1
 samba-4.2.4-16.1
 samba-client-32bit-4.2.4-16.1
 samba-client-4.2.4-16.1
 samba-debugsource-4.2.4-16.1
 samba-doc-4.2.4-16.1
 samba-libs-32bit-4.2.4-16.1
 samba-libs-4.2.4-16.1
 samba-winbind-32bit-4.2.4-16.1
 samba-winbind-4.2.4-16.1
SLES 12
Released on the 12th of April 2016:
 libdcerpc-binding0-32bit-4.2.4-18.17.1
 libdcerpc-binding0-4.2.4-18.17.1
 libdcerpc0-32bit-4.2.4-18.17.1
 libdcerpc0-4.2.4-18.17.1
 libgensec0-32bit-4.2.4-18.17.1
 libgensec0-4.2.4-18.17.1
 libndr-krb5pac0-32bit-4.2.4-18.17.1
 libndr-krb5pac0-4.2.4-18.17.1
 libndr-nbt0-32bit-4.2.4-18.17.1
 libndr-nbt0-4.2.4-18.17.1
 libndr-standard0-32bit-4.2.4-18.17.1
 libndr-standard0-4.2.4-18.17.1
 libndr0-32bit-4.2.4-18.17.1
 libndr0-4.2.4-18.17.1
 libnetapi0-32bit-4.2.4-18.17.1
 libnetapi0-4.2.4-18.17.1
 libregistry0-4.2.4-18.17.1
 libsamba-credentials0-32bit-4.2.4-18.17.1
 libsamba-credentials0-4.2.4-18.17.1
 libsamba-hostconfig0-32bit-4.2.4-18.17.1
 libsamba-hostconfig0-4.2.4-18.17.1
 libsamba-passdb0-32bit-4.2.4-18.17.1
 libsamba-passdb0-4.2.4-18.17.1
 libsamba-util0-32bit-4.2.4-18.17.1
 libsamba-util0-4.2.4-18.17.1
 libsamdb0-32bit-4.2.4-18.17.1
 libsamdb0-4.2.4-18.17.1
 libsmbclient-raw0-32bit-4.2.4-18.17.1
 libsmbclient-raw0-4.2.4-18.17.1
 libsmbclient0-32bit-4.2.4-18.17.1
 libsmbclient0-4.2.4-18.17.1
 libsmbconf0-32bit-4.2.4-18.17.1
 libsmbconf0-4.2.4-18.17.1
 libsmbldap0-32bit-4.2.4-18.17.1
 libsmbldap0-4.2.4-18.17.1
 libtevent-util0-32bit-4.2.4-18.17.1
 libtevent-util0-4.2.4-18.17.1
 libwbclient0-32bit-4.2.4-18.17.1
 libwbclient0-4.2.4-18.17.1
 samba-32bit-4.2.4-18.17.1
 samba-4.2.4-18.17.1
 samba-client-32bit-4.2.4-18.17.1
 samba-client-4.2.4-18.17.1
 samba-debugsource-4.2.4-18.17.1
 samba-doc-4.2.4-18.17.1
 samba-libs-32bit-4.2.4-18.17.1
 samba-libs-4.2.4-18.17.1
 samba-winbind-32bit-4.2.4-18.17.1
 samba-winbind-4.2.4-18.17.1
SLES 11 SP4 & SLES 11 SP3 LTSS
Released on the 12th of April 2016:
 ldapsmb-1.34b-76.1
 libldb1-3.6.3-76.1
 libsmbclient0-3.6.3-76.1
 libsmbclient0-32bit-3.6.3-76.1
 libtalloc2-3.6.3-76.1
 libtalloc2-32bit-3.6.3-76.1
 libtdb1-3.6.3-76.1
 libtdb1-32bit-3.6.3-76.1
 libtevent0-3.6.3-76.1
 libtevent0-32bit-3.6.3-76.1
 libwbclient0-3.6.3-76.1
 libwbclient0-32bit-3.6.3-76.1
 samba-3.6.3-76.1.src.rpm
 samba-3.6.3-76.1
 samba-32bit-3.6.3-76.1
 samba-client-3.6.3-76.1
 samba-client-32bit-3.6.3-76.1
 samba-doc-3.6.3-76.2
 samba-krb-printing-3.6.3-76.1
 samba-winbind-3.6.3-76.1
 samba-winbind-32bit-3.6.3-76.1
SLES 11 SP2 LTSS
Released on the 13th of April 2016:
 ldapsmb-1.34b-52.1
 libldb1-3.6.3-52.1
 libsmbclient0-3.6.3-52.1
 libsmbclient0-32bit-3.6.3-52.1
 libtalloc2-3.6.3-52.1
 libtalloc2-32bit-3.6.3-52.1
 libtdb1-3.6.3-52.1
 libtdb1-32bit-3.6.3-52.1
 libtevent0-3.6.3-52.1
 libtevent0-32bit-3.6.3-52.1
 libwbclient0-3.6.3-52.1
 libwbclient0-32bit-3.6.3-52.1
 samba-3.6.3-52.1.src.rpm
 samba-3.6.3-52.1
 samba-32bit-3.6.3-52.1
 samba-client-3.6.3-52.1
 samba-client-32bit-3.6.3-52.1
 samba-doc-3.6.3-52.1
 samba-krb-printing-3.6.3-52.1
 samba-winbind-3.6.3-52.1
 samba-winbind-32bit-3.6.3-52.1

Expanded Support 4 (RES4)

  • Patches have been released on the 14th of April 2016
  • Samba 3.0.33

Expanded Support 5 (RES5)

  • Patches have been released on the 14th of April 2016
  • Samba 3.0.33

Expanded Support 6 (RES6)

  • Patches have been released on the 14th of April 2016
  • Samba 3.6.23

Expanded Support 7 (RES7)

  • Patches have been released on the 14th of April 2016
  • Samba 4.2.3
To be safe from this vulnerability you have to patch your systems to the above mentioned versions.

Cause


Additional Information

These releases fix multiple security vulnerabilities in the software and change the default behaviour for some protocols.

The security vulnerabilities can be mostly categorised as man-in-the-middle or denial of service attacks.
  • Man in the middle (MITM) attacks
There are several MITM attacks that can be performed against a variety of protocols used by Samba. These would permit execution of arbitrarySamba network calls using the context of the intercepted user.
Impact example of intercepting administrator network traffic:
* Samba file server - modify user permissions on files or directories.

To execute a man in the middle attack requires an attacker to manipulate network traffic in the local network segment of the client or server.

Mitigations:
etwork protections that could be used MITM attacks include DHCPsnooping, ARP Inspection and 802.1x.
Suggested further improvements after patching:
It is recomended that administrators set these additional options, if compatible with their network environment:
  • server signing = required
  • ntlm auth = no
Without server signing = required, Man in the Middle attacks are still possible against our file server and Domain controller.
Without 'ntlm auth = no', there may still be clients not using NTLMv2, and these observed passwords may be brute-forced easilyusing cloud-computing resources or rainbow tables.
  • Denial of Service (DoS)
Samba services are vulnerable to a denial of service from an attackerwith remote network connectivity to the Samba service.

Mitigation:
Apply firewall rules on the server to permit connectivity only from trusted addresses.
Will encryption protect against these attacks?
The SMB protocol, by default, only encrypts credentials and commandswhile files are transferred in plaintext. It is recommended that insecurity / privacy sensitive scenarios encryption is used to protectall communications.
Samba added encryption in version 3.2 in 2008 but only to Samba clients. Microsoft added SMB encryption support to SMB 3.0 in Windows 8 and Windows Server 2012. However, both of these types of encryptiononly protect communications, such a file transfers, after SMB negotiation and commands have been completed. It is this phase thatcontains the fixed vulnerabilities.
Samba/SMB encryption is good practice but is not sufficient for protection against these vulnerabilities. Network-level encryption, such as IPSec, is required for full protection as a workaround.

More information on this can be found at:

    Samba.org Latest News

which gives details about the following related CVE's:

    CVE-2016-2118
    CVE-2016-2115
    CVE-2016-2113
    CVE-2016-2112
    CVE-2016-2111
    CVE-2016-2110
    CVE-2015-5370

Disclaimer

This Support Knowledgebase provides a valuable tool for SUSE customers and parties interested in our products and solutions to acquire information, ideas and learn from one another. Materials are provided for informational, personal or non-commercial use within your organization and are presented "AS IS" WITHOUT WARRANTY OF ANY KIND.

  • Document ID:7017473
  • Creation Date: 07-Apr-2016
  • Modified Date:03-Mar-2020
    • SUSE Linux Enterprise Desktop
    • SUSE Linux Enterprise Server

< Back to Support Search

For questions or concerns with the SUSE Knowledgebase please contact: tidfeedback@suse.com

SUSE Support Forums

Get your questions answered by experienced Sys Ops or interact with other SUSE community experts.

Join Our Community

Support Resources

Learn how to get the most from the technical support you receive with your SUSE Subscription, Premium Support, Academic Program, or Partner Program.


SUSE Customer Support Quick Reference Guide SUSE Technical Support Handbook Update Advisories
Support FAQ

Open an Incident

Open an incident with SUSE Technical Support, manage your subscriptions, download patches, or manage user access.

Go to Customer Center