vulnerability

Samba CVE-2016-2114: "server signing = mandatory" not enforced

Severity
4
CVSS
(AV:N/AC:M/Au:N/C:N/I:P/A:N)
Published
Apr 12, 2016
Added
Apr 12, 2016
Modified
Apr 14, 2025

Description

Due to a regression introduced in Samba 4.0.0, an explicit "server signing = mandatory" in the [global] section of the smb.conf was not enforced for clients using the SMB1 protocol.

As a result it does not enforce smb signing and allows man in the middle attacks.

This problem applies to all possible server roles: standalone server, member server, classic primary domain controller, classic backup domain controller and active directory domain controller.

In addition, when Samba is configured with "server role = active directory domain controller" the effective default for the "server signing" option should be "mandatory".

During the early development of Samba 4 we had a new experimental file server located under source4/smb_server. But before the final 4.0.0 release we switched back to the file server under source3/smbd.

But the logic for the correct default of "server signing" was not ported correctly ported.

Note that the default for server roles other than active directory domain controller, is "off" because of performance reasons.

Solution(s)

samba-upgrade-4_2_11samba-upgrade-4_3_8samba-upgrade-4_4_2
Title
NEW

Explore Exposure Command

Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.