The branch, v4-3-stable has been updated
via c7bc017 VERSION: Disable git snapshots for the 4.3.11 release.
via e716f76 WHATSNEW: Add release notes for Samba 4.3.11.
via ad8a3d9 CVE-2016-2019: s3:selftest: add regression tests for guest
logins and mandatory signing
via 0390433 CVE-2016-2019: s3:libsmb: add comment regarding
smbXcli_session_is_guest() with mandatory signing
via 559a130 CVE-2016-2019: libcli/smb: don't allow guest sessions if we
require signing
via 4e3541e dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
via 6a0f9db s4:rpc_server: use a variable for the max total reassembled
request payload
via bc2963a s4:librpc/rpc: allow a total reassembled response payload
of 240 MBytes
via 2a8c919 dcerpc.idl: add
DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
via 851c186 VERSION: Bump version up to 4.3.11...
from 65573bb VERSION: Disable git snapshots for the 4.3.10 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-3-stable
- Log -----------------------------------------------------------------
commit c7bc0175839f5090a51acb34b1c0f8331b95ffe5
Author: Karolin Seeger <[email protected]>
Date: Tue Jul 5 12:36:33 2016 +0200
VERSION: Disable git snapshots for the 4.3.11 release.
Signed-off-by: Karolin Seeger <[email protected]>
commit e716f764c2bb0bdec9c92b3a307b906fbd595258
Author: Karolin Seeger <[email protected]>
Date: Tue Jul 5 12:34:21 2016 +0200
WHATSNEW: Add release notes for Samba 4.3.11.
CVE-2016-2119: Client side SMB2 signing downgrade
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Karolin Seeger <[email protected]>
commit ad8a3d9787226a569233c006a51eeaaf1b7c5860
Author: Stefan Metzmacher <[email protected]>
Date: Thu Apr 28 02:24:52 2016 +0200
CVE-2016-2019: s3:selftest: add regression tests for guest logins and
mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 0390433f5a5722681871e91a57e827344e78f8c4
Author: Stefan Metzmacher <[email protected]>
Date: Thu Apr 28 02:36:35 2016 +0200
CVE-2016-2019: s3:libsmb: add comment regarding smbXcli_session_is_guest()
with mandatory signing
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 559a1306d813d3f11de9fdaa5850638c62ed2d79
Author: Stefan Metzmacher <[email protected]>
Date: Wed Apr 20 11:26:57 2016 +0200
CVE-2016-2019: libcli/smb: don't allow guest sessions if we require signing
Note real anonymous sessions (with "" as username) don't hit this
as we don't even call smb2cli_session_set_session_key() in that case.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11860
Signed-off-by: Stefan Metzmacher <[email protected]>
commit 4e3541e1e8fd79aac35da73422200aca5711d89c
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 20:38:01 2016 +0200
dcerpc.idl: remove unused DCERPC_NCACN_PAYLOAD_MAX_SIZE
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Ralph Boehme <[email protected]>
(cherry picked from commit d9e242e9035c15e49b041afc61e5a4a08877f289)
commit 6a0f9dbd61362789d8fb5ea3c8e67b788529c288
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 17:18:28 2016 +0200
s4:rpc_server: use a variable for the max total reassembled request payload
We still use the same limit of 4 MByte
(DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE)
by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
Autobuild-User(master): Andrew Bartlett <[email protected]>
Autobuild-Date(master): Thu Jun 23 04:51:16 CEST 2016 on sn-devel-144
(cherry picked from commit 3f36d31c848496bf509db573e4c12821905b448d)
commit bc2963af86a66ff43725b7edf32f91c8f8a203b3
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 17:18:28 2016 +0200
s4:librpc/rpc: allow a total reassembled response payload of 240 MBytes
This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte),
The limit of DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte) was too
strict for some workloads, e.g. DRSUAPI replication with large objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 7413e73c5331b760dc84b3843059230ec5fcfc7b)
commit 2a8c91944b6ca4c1917c16302641d024a6559a43
Author: Stefan Metzmacher <[email protected]>
Date: Wed Jun 22 16:58:03 2016 +0200
dcerpc.idl: add DCERPC_NCACN_{REQUEST,RESPONSE}_DEFAULT_MAX_SIZE
This will replace DCERPC_NCACN_PAYLOAD_MAX_SIZE (4 MByte),
this limit is too strict for some workloads, e.g. DRSUAPI replication
with large objects.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11948
Signed-off-by: Stefan Metzmacher <[email protected]>
Reviewed-by: Andrew Bartlett <[email protected]>
(cherry picked from commit 281e11b53f676647997fb9ce21227782529a62ad)
commit 851c1863ff9fd9724a68a1e98400bd4ad3cb6904
Author: Karolin Seeger <[email protected]>
Date: Tue Jun 14 09:34:22 2016 +0200
VERSION: Bump version up to 4.3.11...
and re-enable git snapshots.
Signed-off-by: Karolin Seeger <[email protected]>
(cherry picked from commit 55785c95e7f74fb81fc95b435377a7879743dc37)
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 77 ++++++++++++++++++++++++++++-
libcli/smb/smbXcli_base.c | 19 ++++++-
librpc/idl/dcerpc.idl | 18 ++++++-
source3/libsmb/cliconnect.c | 3 ++
source3/script/tests/test_smbclient_ntlm.sh | 4 ++
source4/librpc/rpc/dcerpc.c | 5 +-
source4/librpc/rpc/dcerpc.h | 3 ++
source4/rpc_server/dcerpc_server.c | 5 +-
source4/rpc_server/dcerpc_server.h | 3 ++
10 files changed, 129 insertions(+), 10 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index a907a4b..cb1981f 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=3
-SAMBA_VERSION_RELEASE=10
+SAMBA_VERSION_RELEASE=11
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 4bad9ab..0eccb25 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,4 +1,77 @@
==============================
+ Release Notes for Samba 4.3.11
+ July 07, 2016
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2016-2119 (Client side SMB2/3 required signing can be downgraded)
+
+=======
+Details
+=======
+
+o CVE-2016-2119:
+ It's possible for an attacker to downgrade the required signing for
+ an SMB2/3 client connection, by injecting the SMB2_SESSION_FLAG_IS_GUEST
+ or SMB2_SESSION_FLAG_IS_NULL flags.
+
+ This means that the attacker can impersonate a server being connected to by
+ Samba, and return malicious results.
+
+ The primary concern is with winbindd, as it uses DCERPC over SMB2 when
talking
+ to domain controllers as a member server, and trusted domains as a domain
+ controller. These DCE/RPC connections were intended to protected by the
+ combination of "client ipc signing" and
+ "client ipc max protocol" in their effective default settings
+ ("mandatory" and "SMB3_11").
+
+ Additionally, management tools like net, samba-tool and rpcclient use DCERPC
+ over SMB2/3 connections.
+
+ By default, other tools in Samba are unprotected, but rarely they are
+ configured to use smb signing, via the "client signing" parameter (the
default
+ is "if_required"). Even more rarely the "client max protocol" is set to
SMB2,
+ rather than the NT1 default.
+
+ If both these conditions are met, then this issue would also apply to these
+ other tools, including command line tools like smbcacls, smbcquota,
smbclient,
+ smbget and applications using libsmbclient.
+
+
+Changes since 4.3.10:
+--------------------
+
+o Stefan Metzmacher <[email protected]>
+ * BUG 11860: CVE-2016-2119: Fix client side SMB2 signing downgrade.
+ * BUG 11948: Total dcerpc response payload more than 0x400000.
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
+ ==============================
Release Notes for Samba 4.3.10
June 15, 2016
==============================
@@ -96,8 +169,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
=============================
Release Notes for Samba 4.3.9
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 419a2c0..4039e86 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5313,6 +5313,10 @@ bool smbXcli_session_is_guest(struct smbXcli_session
*session)
return false;
}
+ if (session->conn->mandatory_signing) {
+ return false;
+ }
+
if (session->conn->protocol >= PROTOCOL_SMB2_02) {
if (session->smb2->session_flags & SMB2_SESSION_FLAG_IS_GUEST) {
return true;
@@ -5567,7 +5571,7 @@ NTSTATUS smb2cli_session_set_session_key(struct
smbXcli_session *session,
const struct iovec *recv_iov)
{
struct smbXcli_conn *conn = session->conn;
- uint16_t no_sign_flags;
+ uint16_t no_sign_flags = 0;
uint8_t session_key[16];
bool check_signature = true;
uint32_t hdr_flags;
@@ -5592,7 +5596,18 @@ NTSTATUS smb2cli_session_set_session_key(struct
smbXcli_session *session,
return NT_STATUS_INVALID_PARAMETER_MIX;
}
- no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST | SMB2_SESSION_FLAG_IS_NULL;
+ if (!conn->mandatory_signing) {
+ /*
+ * only allow guest sessions without
+ * mandatory signing.
+ *
+ * If we try an authentication with username != ""
+ * and the server let us in without verifying the
+ * password we don't have a negotiated session key
+ * for signing.
+ */
+ no_sign_flags = SMB2_SESSION_FLAG_IS_GUEST;
+ }
if (session->smb2->session_flags & no_sign_flags) {
session->smb2->should_sign = false;
diff --git a/librpc/idl/dcerpc.idl b/librpc/idl/dcerpc.idl
index 015eb3d..527804d 100644
--- a/librpc/idl/dcerpc.idl
+++ b/librpc/idl/dcerpc.idl
@@ -535,7 +535,23 @@ interface dcerpc
const uint32 DCERPC_FRAG_MAX_SIZE = 5840;
const uint8 DCERPC_AUTH_LEN_OFFSET = 10;
const uint8 DCERPC_NCACN_PAYLOAD_OFFSET = 16;
- const uint32 DCERPC_NCACN_PAYLOAD_MAX_SIZE = 0x400000; /* 4 MByte */
+
+ /*
+ * See [MS-RPCE] 3.3.3.5.4 Maximum Server Input Data Size
+ * 4 MByte is the default limit of reassembled request payload
+ */
+ const uint32 DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE = 0x400000;
+
+ /*
+ * See [MS-RPCE] 3.3.2.5.2 Handling Responses
+ *
+ * Indicates that Windows accepts up to 0x7FFFFFFF ~2 GByte
+ *
+ * talloc has a limit of 256 MByte, so we need to use something smaller.
+ *
+ * For now we try our luck with 240 MByte.
+ */
+ const uint32 DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE = 0xf000000; /* 240
MByte */
/* little-endian flag */
const uint8 DCERPC_DREP_LE = 0x10;
diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c
index ea92c8f..ebba8f2 100644
--- a/source3/libsmb/cliconnect.c
+++ b/source3/libsmb/cliconnect.c
@@ -1588,6 +1588,9 @@ static void cli_session_setup_gensec_remote_done(struct
tevent_req *subreq)
* have a negotiated session key.
*
* So just pretend we are completely done.
+ *
+ * Note that smbXcli_session_is_guest()
+ * always returns false if we require signing.
*/
state->blob_in = data_blob_null;
state->local_ready = true;
diff --git a/source3/script/tests/test_smbclient_ntlm.sh
b/source3/script/tests/test_smbclient_ntlm.sh
index b8fc564..33a927f 100755
--- a/source3/script/tests/test_smbclient_ntlm.sh
+++ b/source3/script/tests/test_smbclient_ntlm.sh
@@ -37,4 +37,8 @@ else
testit "smbclient baduser.badpassword.NT1NEW.guest" $SMBCLIENT
//$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1 -c quit $ADDARGS
testit "smbclient baduser.badpassword.SMB3.guest" $SMBCLIENT
//$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3 -c quit $ADDARGS
+
+ testit_expect_failure "smbclient baduser.badpassword.NT1OLD.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1
--option=clientusespnego=no --option=clientntlmv2auth=no --signing=required -c
quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.NT1NEW.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mNT1
--signing=required -c quit $ADDARGS
+ testit_expect_failure "smbclient baduser.badpassword.SMB3.signfail"
$SMBCLIENT //$SERVER/IPC\$ $CONFIGURATION -Ubaduser%badpassword -mSMB3
--signing=required -c quit $ADDARGS
fi
diff --git a/source4/librpc/rpc/dcerpc.c b/source4/librpc/rpc/dcerpc.c
index ade742c..0fc673d 100644
--- a/source4/librpc/rpc/dcerpc.c
+++ b/source4/librpc/rpc/dcerpc.c
@@ -155,6 +155,7 @@ static struct dcecli_connection
*dcerpc_connection_init(TALLOC_CTX *mem_ctx,
*/
c->srv_max_xmit_frag = 5840;
c->srv_max_recv_frag = 5840;
+ c->max_total_response_size = DCERPC_NCACN_RESPONSE_DEFAULT_MAX_SIZE;
c->pending = NULL;
c->io_trigger = tevent_create_immediate(c);
@@ -1577,10 +1578,10 @@ static void dcerpc_request_recv_data(struct
dcecli_connection *c,
length = pkt->u.response.stub_and_verifier.length;
- if (req->payload.length + length > DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (req->payload.length + length > c->max_total_response_size) {
DEBUG(2,("Unexpected total payload 0x%X > 0x%X dcerpc
response\n",
(unsigned)req->payload.length + length,
- DCERPC_NCACN_PAYLOAD_MAX_SIZE));
+ (unsigned)c->max_total_response_size));
dcerpc_connection_dead(c, NT_STATUS_RPC_PROTOCOL_ERROR);
return;
}
diff --git a/source4/librpc/rpc/dcerpc.h b/source4/librpc/rpc/dcerpc.h
index 39d28a6..24c7948 100644
--- a/source4/librpc/rpc/dcerpc.h
+++ b/source4/librpc/rpc/dcerpc.h
@@ -107,6 +107,9 @@ struct dcecli_connection {
/* the next context_id to be assigned */
uint32_t next_context_id;
+
+ /* The maximum total payload of reassembled response pdus */
+ size_t max_total_response_size;
};
/*
diff --git a/source4/rpc_server/dcerpc_server.c
b/source4/rpc_server/dcerpc_server.c
index a303d3c..82bf77e 100644
--- a/source4/rpc_server/dcerpc_server.c
+++ b/source4/rpc_server/dcerpc_server.c
@@ -408,6 +408,7 @@ _PUBLIC_ NTSTATUS dcesrv_endpoint_connect(struct
dcesrv_context *dce_ctx,
p->allow_bind = true;
p->max_recv_frag = 5840;
p->max_xmit_frag = 5840;
+ p->max_total_request_size = DCERPC_NCACN_REQUEST_DEFAULT_MAX_SIZE;
*_p = p;
return NT_STATUS_OK;
@@ -1532,7 +1533,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct
dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- available = DCERPC_NCACN_PAYLOAD_MAX_SIZE;
+ available = dce_conn->max_total_request_size;
if (er->stub_and_verifier.length > available) {
dcesrv_call_disconnect_after(existing,
"dcesrv_auth_request - existing payload too
large");
@@ -1585,7 +1586,7 @@ static NTSTATUS dcesrv_process_ncacn_packet(struct
dcesrv_connection *dce_conn,
/*
* Up to 4 MByte are allowed by all fragments
*/
- if (call->pkt.u.request.alloc_hint >
DCERPC_NCACN_PAYLOAD_MAX_SIZE) {
+ if (call->pkt.u.request.alloc_hint >
dce_conn->max_total_request_size) {
dcesrv_call_disconnect_after(call,
"dcesrv_auth_request - initial alloc hint too
large");
return dcesrv_fault(call, DCERPC_FAULT_ACCESS_DENIED);
diff --git a/source4/rpc_server/dcerpc_server.h
b/source4/rpc_server/dcerpc_server.h
index 7e8b18a..b6fac6c 100644
--- a/source4/rpc_server/dcerpc_server.h
+++ b/source4/rpc_server/dcerpc_server.h
@@ -273,6 +273,9 @@ struct dcesrv_connection {
/* the association group the connection belongs to */
struct dcesrv_assoc_group *assoc_group;
+
+ /* The maximum total payload of reassembled request pdus */
+ size_t max_total_request_size;
};
--
Samba Shared Repository
