Описание
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
A flaw was found in the way samba client used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
Отчет
The samba4 package in Red Hat Enterprise Linux 6, is a tech preview and by default uses the SMB1 protocol, therefore though affected by this flaw, will not be addressed in a security update.
Меры по смягчению последствий
Keep the default of "client max protocol = NT1".
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 5 | samba | Not affected | ||
| Red Hat Enterprise Linux 5 | samba3x | Not affected | ||
| Red Hat Enterprise Linux 6 | samba | Not affected | ||
| Red Hat Enterprise Linux 6 | samba4 | Will not fix | ||
| Red Hat Enterprise Linux 7 | samba | Fixed | RHSA-2017:2790 | 21.09.2017 |
| Red Hat Gluster Storage 3.3 for RHEL 6 | samba | Fixed | RHSA-2017:2858 | 04.10.2017 |
| Red Hat Gluster Storage 3.3 for RHEL 7 | samba | Fixed | RHSA-2017:2858 | 04.10.2017 |
Показывать по
Дополнительная информация
Статус:
7.4 High
CVSS3
Связанные уязвимости
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
A flaw was found in the way samba client before samba 4.4.16, samba 4. ...
A flaw was found in the way samba client before samba 4.4.16, samba 4.5.14 and samba 4.6.8 used encryption with the max protocol set as SMB3. The connection could lose the requirement for signing and encrypting to any DFS redirects, allowing an attacker to read or alter the contents of the connection via a man-in-the-middle attack.
Уязвимость пакета программ для сетевого взаимодействия Samba, связанная с отсутствием требования подписи и шифрования SMB-трафика при использовании перенаправлений DFS, позволяющая нарушителю реализовать атаку «человек посередине»
7.4 High
CVSS3