Red Hat Product Security has been made aware of a protocol flaw in the DCE/RPC-based SAMR and LSA protocols used in the Microsoft Windows Active Directory infrastructure. This issue has been assigned CVE-2016-2118 and is rated as Important. Other related vulnerabilities, ranging from Moderate to Critical and described in Critical Security Flaws in Samba Released on April 12 2016 , have also been made public.
Note: This is a protocol issue and affects all applications implementatioing this protocol, including Samba - CVE-2016-2118, and Microsoft Windows - CVE-2016-0128.More information...
Risk can be reduced by not using privileged accounts to access SMB/CIFS services until a package containing a fix has been applied. Restrict administrative access to physical hardware (console, server), so that authentication does not involve any network communication.
New smb.conf configuration option
This update introduces the following new smb.conf file configuration option:allow dcerpc auth level connect (G)
This option controls whether DCE/RPC services can be used with
DCERPC_AUTH_LEVEL_CONNECT, which provides authentication, but no per-message integrity (SIGN) nor privacy protection (SEAL).
Some interfaces like SAMR, LSARPC, and netlogon have a hardcoded default of no; epmapper, mgmt, and rpcecho have a hardcoded default of yes.
The behavior can be overwritten per interface name (for example, lsarpc, netlogon, samr, srvsvc, winreg, or wkssvc) by specifying 'allow dcerpc auth level connect:interface = yes'.
This option yields precedence to any implementation-specific restrictions. For example:
* The drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
* The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.Default
: allow dcerpc auth level connect = noExample
: allow dcerpc auth level connect = yes