Errata overview
Errata ID 413
Date 2016-04-12
Source package samba
Fixed in version 2:4.3.7-1.827.201604110946
This update to Samba 4.3.7 addresses a couple of security issues identified
in the Samba implementation as well as in the Microsoft Windows MS-SAMR and
MS-LDAD protocols. The latter has been referred to publicly as BADLOCK.
The raised security requirements of Samba server components may require
config adjustments for older clients. Univention Corporate Client (UCC) 1.0
running a Linux kernel version prior to 3.8 for example require an adjustment
of the mount.cifs options. In that case the value for mount option "sec"
needs to be adjusted to "ntlmsspi", e.g. by setting

ucr set ucc/mount/cifshome/options="serverino,sec=ntlmsspi"

UCC 2.x clients (i.e. Linux kernel above 3.8) don't require this adjustment.

Details of the vulnerabilities fixed in this update:

* Errors in Samba DCE-RPC code could potentially lead to denial of service
  (crashes and high CPU consumption) and man in the middle attacks.
  It was unlikely but not impossible to trigger remote code execution,
  which could result in an impersonation on the client side.
  For details see
* Man in the middle downgrade attacks have been possible with NTLMSSP.
  For details see
* There has been a NETLOGON computer name spoofing vulnerability.
  For details see
* The LDAP client and server didn't enforce integrity protection.
  For details see
* Missing TLS certificate validation allows man in the middle attacks.
  For details see
* The setting "server signing = mandatory" was not enforced.
  For details see
* SMB client connections for IPC traffic have not been integrity protected.
  For details see
* SAMR and LSA man in the middle attacks have been possible (BADLOCK).
  For details see
* The regression patch from Samba 4.3.8 is included in this update.
Additional notes
CVE ID CVE-2015-5370
UCS Bug number #40990