Samba CVE-2016-2114: "server signing = mandatory" not enforced
| Severity | CVSS | Published | Added | Modified |
|---|---|---|---|---|
| 4 | (AV:N/AC:M/Au:N/C:N/I:P/A:N) | April 12, 2016 | April 12, 2016 | October 30, 2017 |
Description
The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream.
Free Nexpose Download
Discover, prioritize, and remediate security risks today!
References
Solution
samba-upgrade-4_2_11Related Vulnerabilities
- Gentoo Linux: CVE-2016-2114: Samba: Multiple vulnerabilities
- RHSA-2016:0618: samba security, bug fix, and enhancement update
- Huawei EulerOS: CVE-2016-2114: samba security update
- Amazon Linux AMI: Security patch for samba (ALAS-2016-686) (multiple CVEs)
- Debian: CVE-2016-2114: samba -- security update
- Oracle Solaris 11: CVE-2016-2114: Vulnerability in Samba
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 5
- CentOS: (CVE-2016-2114) CESA-2016:0612: ipa, libldb, libtalloc, libtdb, libtevent, openchange, samba, samba4
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 4
- SUSE: CVE-2016-2114: SUSE Linux Security Advisory
- RHSA-2016:0612: samba and samba4 security, bug fix, and enhancement update
- RHSA-2016:0620: samba4 security, bug fix, and enhancement update
- Ubuntu: USN-2950-1 (CVE-2016-2114): Samba vulnerabilities
- Alpine Linux: CVE-2016-2114: samba Multiple security issues
- FreeBSD: samba -- multiple vulnerabilities (Multiple CVEs)
- Vulnerabilities deemed not relevant on Red Hat Enterprise Linux 6
- Oracle Linux: (CVE-2016-2114) ELSA-2016-0612: samba and samba4 security, bug fix, and enhancement update