Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2019660 (CVE-2016-2124) - CVE-2016-2124 samba: SMB1 client connections can be downgraded to plaintext authentication
Summary: CVE-2016-2124 samba: SMB1 client connections can be downgraded to plaintext a...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2124
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2019661 2019662 2019663 2020163 2021161 2021163 2021711
Blocks: 2022010
TreeView+ depends on / blocked
 
Reported: 2021-11-03 03:54 UTC by Huzaifa S. Sidhpurwala
Modified: 2022-05-17 09:59 UTC (History)
17 users (show)

Fixed In Version: samba 4.15.2, samba 4.14.10, samba 4.13.14
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the way samba implemented SMB1 authentication. An attacker could use this flaw to retrieve the plaintext password sent over the wire even if Kerberos authentication was required.
Clone Of:
Environment:
Last Closed: 2021-11-29 13:08:48 UTC
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2022:0018 0 None None None 2022-01-05 10:32:47 UTC
Red Hat Product Errata RHBA-2022:0019 0 None None None 2022-01-05 10:15:35 UTC
Red Hat Product Errata RHBA-2022:0147 0 None None None 2022-01-17 14:11:21 UTC
Red Hat Product Errata RHSA-2021:4843 0 None None None 2021-11-29 12:36:17 UTC
Red Hat Product Errata RHSA-2021:4844 0 None None None 2021-11-29 12:36:09 UTC
Red Hat Product Errata RHSA-2021:5082 0 None None None 2021-12-13 08:45:24 UTC
Red Hat Product Errata RHSA-2021:5192 0 None None None 2021-12-16 17:12:06 UTC
Red Hat Product Errata RHSA-2022:0008 0 None None None 2022-01-04 08:21:53 UTC
Red Hat Product Errata RHSA-2022:0074 0 None None None 2022-01-11 16:27:37 UTC
Samba Project 12444 0 None None None 2021-11-03 14:54:26 UTC

Description Huzaifa S. Sidhpurwala 2021-11-03 03:54:46 UTC
As per upstream advisory:

An attacker can downgrade a negotiated SMB1 client connection and its capabitilities.  Kerberos authentication is only possible with the SMB2/3 protocol or SMB1 using the NT1 dialect and the extended security (spnego) capability. Without mandatory SMB signing the protocol can be downgraded to an older insecure dialect like CORE, COREPLUS/CORE+, LANMAN1 or LANMAN2.  Even if SMB signing is required it's still possible to downgrade to the NT1 dialect if extended security (spnego) is not negotiated.

The attacker is able to get the plaintext password sent over the wire even if Kerberos authentication was required.

Comment 3 Huzaifa S. Sidhpurwala 2021-11-10 02:46:14 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2021711]

Comment 4 errata-xmlrpc 2021-11-29 12:36:07 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 7

Via RHSA-2021:4844 https://access.redhat.com/errata/RHSA-2021:4844

Comment 5 errata-xmlrpc 2021-11-29 12:36:16 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.5 for RHEL 8

Via RHSA-2021:4843 https://access.redhat.com/errata/RHSA-2021:4843

Comment 6 Product Security DevOps Team 2021-11-29 13:08:45 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2016-2124

Comment 7 Tomas Hoger 2021-12-01 18:36:42 UTC
Upstream advisory:
https://www.samba.org/samba/security/CVE-2016-2124.html

Comment 8 errata-xmlrpc 2021-12-13 08:45:22 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:5082 https://access.redhat.com/errata/RHSA-2021:5082

Comment 9 errata-xmlrpc 2021-12-16 17:12:04 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2021:5192 https://access.redhat.com/errata/RHSA-2021:5192

Comment 10 errata-xmlrpc 2022-01-04 08:21:51 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Extended Update Support

Via RHSA-2022:0008 https://access.redhat.com/errata/RHSA-2022:0008

Comment 11 errata-xmlrpc 2022-01-11 16:27:34 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.2 Extended Update Support

Via RHSA-2022:0074 https://access.redhat.com/errata/RHSA-2022:0074


Note You need to log in before you can comment on or make changes to this bug.