#VU8516 Man-in-the-Middle attack in Samba - CVE-2017-12150

Cybersecurity Help s.r.o.

Published: 2017-09-20

Vulnerability identifier: #VU8516

Vulnerability risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2017-12150

CWE-ID: CWE-310

Exploitation vector: Local network

Exploit availability: No

Vulnerable software:
Samba
Server applications / Directory software, identity management

Vendor: Samba

Description
The vulnerability allows a remote attacker to perform MitM attack.

The vulnerability exists due to several Samba tools do not require signing for SMB connections. The affected tools are:
- 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e',;
- the python binding exported as 'samba.samba3.libsmb_samba_internal' doesn't make use of the "client signing" smb.conf option;
- libgpo as well as 'net ads gpo' doesn't require SMB signing when fetching group policies
- commandline tools like 'smbclient', 'smbcacls' and 'smbcquotas' allow a fallback to an anonymous connection when using the '--use-ccache' option and this happens even if SMB signing is required.

Successful exploitation of the vulnerability may allow an attacker to perform MitM attack and gain access to potentially sensitive information or elevate privileges on the server.

Mitigation
Install patch from vendor's website:
https://www.samba.org/samba/ftp/patches/security/samba-4.4.15-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.5.13-security-2017-09-20.patch
https://www.samba.org/samba/ftp/patches/security/samba-4.6.7-security-2017-09-20.patch

Additionally 4.6.8, 4.5.14 and 4.4.16 have been issued as security releases to correct the defect.

Vulnerable software versions

Samba: 3.0.25c - 3.0.29, 3.1.0, 3.2.0 - 3.2.15, 3.3.0 - 3.3.16, 3.4.0 - 3.4.17, 3.5.0 - 3.5.22, 3.6.0 - 3.6.25, 4.0.0 - 4.0.26, 4.1.0 - 4.1.23, 4.2.0 - 4.2.14, 4.3.0 - 4.3.13, 4.4.0 rc4 - 4.4.15, 4.5.0 - 4.5.13, 4.6.0 - 4.6.7

External links
https://www.samba.org/samba/security/CVE-2017-12150.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the local network (LAN).

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Ubuntu update for Samba

Man-in-the-Middle attack in samba (Alpine package)

Amazon Linux AMI update for samba

Red Hat update for samba

Debian update for samba

Fedora 27 update for samba

Slackware Linux update for samba

Ubuntu update for Samba

Red Hat update for samba4

Red Hat update for samba