Security Advisory Important: samba security update

Advisory: RHSA-2016:0625-2
Type: Security Advisory
Severity: Important
Issued on: 2016-04-14
Last updated on: 2016-04-14
Affected Products: Red Hat Enterprise Linux ELS (v. 4)
CVEs (cve.mitre.org): CVE-2016-2110
CVE-2016-2111
CVE-2016-2118

Details

An update for samba is now available for Red Hat Enterprise Linux 4 Extended
Lifecycle Support.

Red Hat Product Security has rated this update as having a security impact of
Important. A Common Vulnerability Scoring System (CVSS) base score, which gives
a detailed severity rating, is available for each vulnerability from the CVE
link(s) in the References section.

[Updated 14 April 2016]
This advisory previously incorrectly listed the CVE-2016-2112 issue as addressed
by this update. However, this issue did not affect the samba packages on Red Hat
Enterprise Linux 4 Extended Lifecycle Support. The CVE-2016-2115 was also
incorrectly listed as addressed by this update. This issue does affect the samba
packages on Red Hat Enterprise Linux 4 Extended Lifecycle Support. Customers are
advised to use the "client signing = required" configuration option in the
smb.conf file to mitigate CVE-2016-2115. No changes have been made to the
packages.

Samba is an open-source implementation of the Server Message Block (SMB)
protocol and the related Common Internet File System (CIFS) protocol, which
allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

* A protocol flaw, publicly referred to as Badlock, was found in the Security
Account Manager Remote Protocol (MS-SAMR) and the Local Security Authority
(Domain Policy) Remote Protocol (MS-LSAD). Any authenticated DCE/RPC connection
that a client initiates against a server could be used by a man-in-the-middle
attacker to impersonate the authenticated user against the SAMR or LSA service
on the server. As a result, the attacker would be able to get read/write access
to the Security Account Manager database, and use this to reveal all passwords
or any other potentially sensitive information in that database. (CVE-2016-2118)

* Several flaws were found in Samba's implementation of NTLMSSP authentication.
An unauthenticated, man-in-the-middle attacker could use this flaw to clear the
encryption and integrity flags of a connection, causing data to be transmitted
in plain text. The attacker could also force the client or server into sending
data in plain text even if encryption was explicitly requested for that
connection. (CVE-2016-2110)

* It was discovered that Samba configured as a Domain Controller would establish
a secure communication channel with a machine using a spoofed computer name. A
remote attacker able to observe network traffic could use this flaw to obtain
session-related information about the spoofed machine. (CVE-2016-2111)

Red Hat would like to thank the Samba project for reporting these issues.
Upstream acknowledges Stefan Metzmacher (SerNet) as the original reporter of
CVE-2016-2118 and CVE-2016-2110.


Solution

For details on how to apply this update, which includes the changes described in
this advisory, refer to:

https://access.redhat.com/articles/11258

After installing this update, the smb service will be restarted automatically.

Updated packages

Red Hat Enterprise Linux ELS (v. 4)

SRPMS:
samba-3.0.33-3.37.el4.src.rpm     MD5: 016a916679fc21523e8862bde72917dd
SHA-256: 4a4c6d1ffc9a2f828e7c1db20f455d74699e241a6ad9bffb456f0d4deed151ae
 
IA-32:
samba-3.0.33-3.37.el4.i386.rpm     MD5: da5d52b5c654145eaf7c5277c222bef5
SHA-256: 5f20515be3e582a270557f2469f6c190c934c6ee1067afb9cf4839ba25b3e930
samba-client-3.0.33-3.37.el4.i386.rpm     MD5: 893effb75f1965602ec63b7340240b59
SHA-256: 082b9309b65da972eabb5439f0879e7b08b9bcf253686ae031ae35e6c9dee85f
samba-common-3.0.33-3.37.el4.i386.rpm     MD5: dce4e9d2ab19d63bd19422f46e4d0d05
SHA-256: 6d4c9fbd902b25f434a915b1020461f59420ea1ba4320cf65117119650b6cdb3
samba-swat-3.0.33-3.37.el4.i386.rpm     MD5: 0baf5478050e8a5b505ea353979828ef
SHA-256: bb8004c57a19fc2a569cd375bd2fdb22df04bddf919e8a4b486b9db87c7bfe19
 
IA-64:
samba-3.0.33-3.37.el4.ia64.rpm     MD5: ac6b9914b799314100a3c9aba4589768
SHA-256: 24255d02e865f8e3e1a8e12764bf1d998901d8ed29661561f05cec99cc61a181
samba-client-3.0.33-3.37.el4.ia64.rpm     MD5: ac748be4667cd2f7f63c4c628e78f5d5
SHA-256: 88acf1fab764cf53b8c4d2f2ea059796a1dc931cd137f395a0078ebc11aea9ae
samba-common-3.0.33-3.37.el4.i386.rpm     MD5: dce4e9d2ab19d63bd19422f46e4d0d05
SHA-256: 6d4c9fbd902b25f434a915b1020461f59420ea1ba4320cf65117119650b6cdb3
samba-common-3.0.33-3.37.el4.ia64.rpm     MD5: 339789f9b9b6b87e436e1f4225f13a75
SHA-256: c2cc955a26467b24499c624d835770f8b92c9ffe2de69dcfbd9df485d7665f8b
samba-swat-3.0.33-3.37.el4.ia64.rpm     MD5: a6acc8b359a72bca4c57acf46662a1ea
SHA-256: 5ce766db9008769e3c74f38d743901d695b2e7acdeee4b029e1a86cebc6fa286
 
x86_64:
samba-3.0.33-3.37.el4.x86_64.rpm     MD5: 3187b203ab17e419c067069d67c85679
SHA-256: ad893cef9e86b611de9a048077bd3aadd296a91f8f89368b8bcba7342fb72e79
samba-client-3.0.33-3.37.el4.x86_64.rpm     MD5: 7b560c06df6024e38861d0fb7e222fa2
SHA-256: 42aca05174df47e01e7eb2878aefcaf0f215b8e7504ded797a39de7d72e542ab
samba-common-3.0.33-3.37.el4.i386.rpm     MD5: dce4e9d2ab19d63bd19422f46e4d0d05
SHA-256: 6d4c9fbd902b25f434a915b1020461f59420ea1ba4320cf65117119650b6cdb3
samba-common-3.0.33-3.37.el4.x86_64.rpm     MD5: a33ebd913283ec84334f3f8e069de3ca
SHA-256: 1442be918750ed328c2b1ac87f5d40b236f5d74dca472fd0dd8b6db9dd8b4c70
samba-swat-3.0.33-3.37.el4.x86_64.rpm     MD5: d94041c2468b8c7d6d3e35818e081cdb
SHA-256: c9302ff1179a1d6f1147437f142480c94b49e1099544c8ed8e8eb76baef5a5c2
 
(The unlinked packages above are only available from the Red Hat Network)

Bugs fixed (see bugzilla for more information)

1311893 - CVE-2016-2110 samba: Man-in-the-middle attacks possible with NTLMSSP authentication
1311902 - CVE-2016-2111 samba: Spoofing vulnerability when domain controller is configured
1317990 - CVE-2016-2118 samba: SAMR and LSA man in the middle attacks


References



These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from:
https://www.redhat.com/security/team/key/#package

The Red Hat security contact is secalert@redhat.com. More contact details at http://www.redhat.com/security/team/contact/