Jens Viebig
2023-Jul-07 11:01 UTC
[Samba] server signing = mandatory/required broken in 4.17.5 ?
We are using samba on RedHat 8.8. The latest samba version available for RHEL8 is samba 4.17.5 Since samba is updated to 4.17.5 from 4.16.4 the "server signing mandatory" config option seems to be broken. Nessus scans reports a vulnerability on server signing not required: SMB Signing not required VULNERABILITY MEDIUM PLUGIN ID57608 Description Signing is not required on the remote SMB server. An unauthenticated, remote attacker can exploit this to conduct man-in-the-middle attacks against the SMB server. Our smb.conf looks like this: # See smb.conf.example for a more detailed config file or # read the smb.conf manpage. # Run 'testparm' to verify the config is correct after # you modified it. [global] workgroup = SAMBA security = user passdb backend = tdbsam server signing = mandatory map to guest = Never restrict anonymous = 2 [someshare] comment = This is a share for some share path = /var/someshare read only = no writable = yes public = no guest ok = no guest only = no valid users = someuser browsable = yes force user = someotheruser force group = someothergroup browseable = yes Testing the configuration with testparm, gives this output: testparm Load smb config files from /etc/samba/smb.conf Loaded services file OK. Weak crypto is allowed by GnuTLS (e.g. NTLM as a compatibility fallback) Server role: ROLE_STANDALONE Press enter to see a dump of your service definitions # Global parameters [global] restrict anonymous = 2 security = USER server signing = required workgroup = SAMBA idmap config * : backend = tdb [someshare] comment = This is a share for SDC Ingest force group = someothergroup force user = someotheruser path = /var/someshare read only = No valid users = someuser We also tried to change "server signing = mandatory" to "server signing required" in the original config without effect. When downgrading to 4.16.4 nessus reports a clean scan, when upgrading to 4.17.5 again, the vulnerability shows up again Is this a known issue in 4.17.5 ? Would an upgrade to a later version help (unfortunately currently unavailable for RHEL8) ? Is there any known change from 4.16 to 4.17 that could explain this issue ? Thanks