search cancel

SMB security vulnerability (CVE-2016-2115) reported on Siteminder server

book

Article ID: 256631

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Security scans may return a report that they have found SMB vulnerabilities (SMB Signing not required) on servers running Siteminder components related to 'CVE-2016-2115'

CVE-2016-2115: "Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream."

Enforce message signing in the host's configuration. On Windows, this is found in the policy setting 'Microsoft network server: Digitally sign communications (always)'. On Samba, the setting is called 'server signing'. See the 'see also' links for further details.

http://www.nessus.org/u?df39b8b3
http://technet.microsoft.com/en-us/library/cc731957.aspx
http://www.nessus.org/u?74b80723
https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html
http://www.nessus.org/u?a3cac4ea

 

 

 

 

 

 

Environment

Release : 12.8.x

Cause

By default SMB does not require signing in these versions. 

Resolution

Enable SMB signing on the impacted servers.  This is handled at the OS level and is not a function of Siteminder.  Technically, if you set the client signing to mandatory and the server signing to disabled, both communications will be signed and secured. It is not needed to set both to mandatory.  Likewise, I believe you can set the Server to mandatory, regardless of the client setting.

WINDOWS

If you are running on Windows, this is set as a Group Policy using the Group Policy Editor

EXAMPLE: 

Local Computer Policy -> Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options

Policies:
Microsoft network client: Digitally sign communications (always)  [Enabled | Disabled]
Microsoft network client: Digitally sign communications (if server agrees) [Enabled | Disabled]

Microsoft network server: Digitally sign communications (always)  [Enabled | Disabled]
Microsoft network server: Digitally sign communications (if server agrees) [Enabled | Disabled]

========================
Traditionally, this is also controlled at the registry level:

Policy: "Microsoft network client: Digitally sign communications (always)"
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters

RequireSecuritySignature = 1 or 0

-------------------------

Microsoft network client: Digitally sign communications (if server agrees)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManWorkstation\Parameters

EnableSecuritySignature = 1 or 0

-------------------------

Microsoft network server: Digitally sign communications (always)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

RequireSecuritySignature = 1 or 0

-------------------------

Microsoft network server: Digitally sign communications (if client agrees)
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters

EnableSecuritySignature = 1 or 0
========================

LINUX

In Linux, this is controlled in a security parameter in the [global] section in [/etc/samba/smb.conf]

The security parameter in the [global] section in the /etc/samba/smb.conf file manages how Samba authenticates users that are connecting to the service. Depending on the mode you install Samba in, the parameter must be set to different values:

=> On an AD domain member, set security = ads
In this mode, Samba uses Kerberos to authenticate AD users.

For details about setting up Samba as a domain member, see Setting up Samba as an AD domain member server.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_Deploying-different-types-of-servers#assembly_setting-up-samba-as-an-ad-domain-member-server_assembly_using-samba-as-a-server

=> On a standalone server, set security = user
In this mode, Samba uses a local database to authenticate connecting users.

For details about setting up Samba as a standalone server, see Setting up Samba as a standalone server.
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_Deploying-different-types-of-servers#assembly_setting-up-samba-as-a-standalone-server_assembly_using-samba-as-a-server

=> On an NT4 PDC or BDC, set security = user
In this mode, Samba authenticates users to a local or LDAP database.

=> On an NT4 domain member, set security = domain
In this mode, Samba authenticates connecting users to an NT4 PDC or BDC. You cannot use this mode on AD domain members.

 

Additional Information

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2115

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/deploying_different_types_of_servers/assembly_using-samba-as-a-server_deploying-different-types-of-servers

https://techcommunity.microsoft.com/t5/storage-at-microsoft/configure-smb-signing-with-confidence/ba-p/2418102

http://www.nessus.org/u?df39b8b3

http://technet.microsoft.com/en-us/library/cc731957.aspx

http://www.nessus.org/u?74b80723

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html

ttp://www.nessus.org/u?a3cac4ea