frame

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!

Sign In Register

Badlock Security flaw in Samba

Red Hat Product Security has been made aware of a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. This issue has been assigned CVE-2016-2118 and is rated as Important. Other related vulnerabilities, ranging from Moderate to Critical and described in Critical Security Flaws in Samba Released on April 12 2016 , have also been made public.

Note: This is a protocol issue and affects all applications implementatioing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128.

More information...

Mitigation

Risk can be reduced by not using privileged accounts to access SMB/CIFS services until a package containing a fix has been applied. Restrict administrative access to physical hardware (console, server), so that authentication does not involve any network communication.

Resolution

New smb.conf configuration option
This update introduces the following new smb.conf file configuration option:

allow dcerpc auth level connect (G)

This option controls whether DCE/RPC services can be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per-message integrity (SIGN) nor privacy protection (SEAL).
Some interfaces like SAMR, LSARPC, and netlogon have a hardcoded default of no; epmapper, mgmt, and rpcecho have a hardcoded default of yes.
The behavior can be overwritten per interface name (for example, lsarpc, netlogon, samr, srvsvc, winreg, or wkssvc) by specifying 'allow dcerpc auth level connect:interface = yes'.
This option yields precedence to any implementation-specific restrictions. For example:
* The drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
* The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.

Default: allow dcerpc auth level connect = no
Example: allow dcerpc auth level connect = yes
Sign In or Register to comment.

Learn how to install a web and database server, email, FTP client or other applications. Discover and share information on server security or optimization recommendations.
Feel free to join our constantly expanding community, participate in discussions, strengthen your knowledge on Linux and Windows server management!
© 2013 - 2021 Time4VPS. All rights reserved.

Get In Touch