From 02c216582331ee4bafc6f558c3c7de65d08c655f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 1/3] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in do_connect()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/clidfs.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/source3/libsmb/clidfs.c b/source3/libsmb/clidfs.c
index b823370..5dfddee 100644
--- a/source3/libsmb/clidfs.c
+++ b/source3/libsmb/clidfs.c
@@ -114,6 +114,11 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
const char *domain;
NTSTATUS status;
int flags = 0;
+ int signing_state = get_cmdline_auth_info_signing_state(auth_info);
+
+ if (force_encrypt) {
+ signing_state = SMB_SIGNING_REQUIRED;
+ }
/* make a copy so we don't modify the global string 'service' */
servicename = talloc_strdup(ctx,share);
@@ -152,7 +157,7 @@ static NTSTATUS do_connect(TALLOC_CTX *ctx,
status = cli_connect_nb(
server, NULL, port, name_type, NULL,
- get_cmdline_auth_info_signing_state(auth_info),
+ signing_state,
flags, &c);
if (!NT_STATUS_IS_OK(status)) {
--
2.5.0
From 9e607c8fd3dfb6091477a34b1bbdfa18526c9f98 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:17:02 +0200
Subject: [PATCH 2/3] CVE-2015-5296: s3:libsmb: force signing when requiring
encryption in SMBC_server_internal()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
source3/libsmb/libsmb_server.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/source3/libsmb/libsmb_server.c b/source3/libsmb/libsmb_server.c
index 5410099..0a58d8c 100644
--- a/source3/libsmb/libsmb_server.c
+++ b/source3/libsmb/libsmb_server.c
@@ -273,6 +273,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
char *newserver, *newshare;
int flags = 0;
struct smbXcli_tcon *tcon = NULL;
+ int signing_state = SMB_SIGNING_DEFAULT;
ZERO_STRUCT(c);
*in_cache = false;
@@ -439,6 +440,10 @@ SMBC_server_internal(TALLOC_CTX *ctx,
flags |= CLI_FULL_CONNECTION_USE_NT_HASH;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = SMB_SIGNING_REQUIRED;
+ }
+
if (port == 0) {
if (share == NULL || *share == '\0' || is_ipc) {
/*
@@ -446,7 +451,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
*/
status = cli_connect_nb(server_n, NULL, NBT_SMB_PORT, 0x20,
smbc_getNetbiosName(context),
- SMB_SIGNING_DEFAULT, flags, &c);
+ signing_state, flags, &c);
}
}
@@ -456,7 +461,7 @@ SMBC_server_internal(TALLOC_CTX *ctx,
*/
status = cli_connect_nb(server_n, NULL, port, 0x20,
smbc_getNetbiosName(context),
- SMB_SIGNING_DEFAULT, flags, &c);
+ signing_state, flags, &c);
}
if (!NT_STATUS_IS_OK(status)) {
@@ -745,6 +750,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
ipc_srv = SMBC_find_server(ctx, context, server, "*IPC$",
pp_workgroup, pp_username, pp_password);
if (!ipc_srv) {
+ int signing_state = SMB_SIGNING_DEFAULT;
/* We didn't find a cached connection. Get the password */
if (!*pp_password || (*pp_password)[0] == '\0') {
@@ -766,6 +772,9 @@ SMBC_attr_server(TALLOC_CTX *ctx,
if (smbc_getOptionUseCCache(context)) {
flags |= CLI_FULL_CONNECTION_USE_CCACHE;
}
+ if (context->internal->smb_encryption_level != SMBC_ENCRYPTLEVEL_NONE) {
+ signing_state = SMB_SIGNING_REQUIRED;
+ }
nt_status = cli_full_connection(&ipc_cli,
lp_netbios_name(), server,
@@ -774,7 +783,7 @@ SMBC_attr_server(TALLOC_CTX *ctx,
*pp_workgroup,
*pp_password,
flags,
- SMB_SIGNING_DEFAULT);
+ signing_state);
if (! NT_STATUS_IS_OK(nt_status)) {
DEBUG(1,("cli_full_connection failed! (%s)\n",
nt_errstr(nt_status)));
--
2.5.0
From 289cbf6636e02c1e5125de990e0b22bbb30a0504 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Sep 2015 21:23:25 +0200
Subject: [PATCH 3/3] CVE-2015-5296: libcli/smb: make sure we require signing
when we demand encryption on a session
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11536
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
---
libcli/smb/smbXcli_base.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/libcli/smb/smbXcli_base.c b/libcli/smb/smbXcli_base.c
index 69599bd..b00afbc 100644
--- a/libcli/smb/smbXcli_base.c
+++ b/libcli/smb/smbXcli_base.c
@@ -5085,6 +5085,9 @@ uint8_t smb2cli_session_security_mode(struct smbXcli_session *session)
if (conn->mandatory_signing) {
security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
}
+ if (session->smb2->should_sign) {
+ security_mode |= SMB2_NEGOTIATE_SIGNING_REQUIRED;
+ }
return security_mode;
}
@@ -5383,6 +5386,14 @@ NTSTATUS smb2cli_session_set_channel_key(struct smbXcli_session *session,
NTSTATUS smb2cli_session_encryption_on(struct smbXcli_session *session)
{
+ if (!session->smb2->should_sign) {
+ /*
+ * We need required signing on the session
+ * in order to prevent man in the middle attacks.
+ */
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
if (session->smb2->should_encrypt) {
return NT_STATUS_OK;
}
--
2.5.0