frame
Howdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Sign In RegisterHowdy, Stranger!
It looks like you're new here. If you want to get involved, click one of these buttons!
Quick Links
Categories
- 496 All Categories
- 312 General
- 144 General Discussions
- 67 Feature Request/Bug Report
- 56 Sales Questions and Answers
- 16 Time4VPS Life
- 14 Help requests
- 16 Server management
- 220 Tutorials
- 51 Various Tutorials
- 40 Web hosting control panels
- 40 Performance and Security
- 25 Web Applications
- 44 Linux Applications
- 20 Windows VPS
Badlock Security flaw in Samba
Roman
Member
Red Hat Product Security has been made aware of a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. This issue has been assigned CVE-2016-2118 and is rated as Important. Other related vulnerabilities, ranging from Moderate to Critical and described in Critical Security Flaws in Samba Released on April 12 2016 , have also been made public.
Note: This is a protocol issue and affects all applications implementatioing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128.
More information...
This update introduces the following new smb.conf file configuration option:
allow dcerpc auth level connect (G)
This option controls whether DCE/RPC services can be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per-message integrity (SIGN) nor privacy protection (SEAL).
Some interfaces like SAMR, LSARPC, and netlogon have a hardcoded default of no; epmapper, mgmt, and rpcecho have a hardcoded default of yes.
The behavior can be overwritten per interface name (for example, lsarpc, netlogon, samr, srvsvc, winreg, or wkssvc) by specifying 'allow dcerpc auth level connect:interface = yes'.
This option yields precedence to any implementation-specific restrictions. For example:
* The drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
* The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
Note: This is a protocol issue and affects all applications implementatioing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128.
More information...
Mitigation
Risk can be reduced by not using privileged accounts to access SMB/CIFS services until a package containing a fix has been applied. Restrict administrative access to physical hardware (console, server), so that authentication does not involve any network communication.Resolution
New smb.conf configuration optionThis update introduces the following new smb.conf file configuration option:
allow dcerpc auth level connect (G)
This option controls whether DCE/RPC services can be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per-message integrity (SIGN) nor privacy protection (SEAL).
Some interfaces like SAMR, LSARPC, and netlogon have a hardcoded default of no; epmapper, mgmt, and rpcecho have a hardcoded default of yes.
The behavior can be overwritten per interface name (for example, lsarpc, netlogon, samr, srvsvc, winreg, or wkssvc) by specifying 'allow dcerpc auth level connect:interface = yes'.
This option yields precedence to any implementation-specific restrictions. For example:
* The drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
* The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
foot
Feel free to join our constantly expanding community, participate in discussions, strengthen your knowledge on Linux and Windows server management!
© 2013 - 2024 Time4VPS. All rights reserved.