Description The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream.
CVSS vector CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N Exploitability: 2.2 | Impact: 3.6 Attack Vector: Network
Complexity: High
Privileges: None
User Interaction: None
Scope: Unchanged
Confidentiality: None
Integrity: High
Availability: None
Affected Packages4 packages Also affects: Ubuntu Linux 14.04, 15.10, 16.04
🔴 Vulnerability Details6 GHSA GHSA-qg5v-7xq3-qwf4: The SMB1 protocol implementation in Samba 4 ↗ 2022-05-17 ▶ OSV samba regression ↗ 2016-05-25 ▶ OSV samba regressions ↗ 2016-05-04 ▶ OSV libsoup2.4 update ↗ 2016-05-04 ▶ OSV CVE-2016-2114: The SMB1 protocol implementation in Samba 4 ↗ 2016-04-25 ▶ Show 1 more
📋 Vendor Advisories7 Ubuntu Samba regression ↗ 2016-05-25 ▶ Ubuntu Samba regressions ↗ 2016-05-18 ▶ Ubuntu libsoup update ↗ 2016-05-04 ▶ Ubuntu Samba regressions ↗ 2016-05-04 ▶ Ubuntu Samba vulnerabilities ↗ 2016-04-18 ▶ Show 2 more
💬 Community2 Bugzilla CVE-2015-5370 CVE-2016-2110 CVE-2016-2111 CVE-2016-2112 CVE-2016-2113 CVE-2016-2114 CVE-2016-2115 CVE-2016-2118 samba: various flaws [fedora-all] ↗ 2016-04-12 ▶ Bugzilla CVE-2016-2114 samba: Samba based active directory domain controller does not enforce smb signing ↗ 2016-02-25 ▶