Salesforce

KB-6731: Impact of Badlock (CVE-2016-0128/CVE-2016-2118) on Centrify-Enabled Samba

Printable View
« Go Back

Information

 
TitleKB-6731: Impact of Badlock (CVE-2016-0128/CVE-2016-2118) on Centrify-Enabled Samba
URL NameKB-6731-Impact-of-Badlock-CVE-2016-0128-CVE-2016-2118-on-Centrify-Enabled-Samba
Knowledge Article TypeProblem / Resolution
Article TypeKnowledge
ArticleType 
ProductCentrify-Enabled Samba
Component 
Version 
TagsBadlock, CVE-2016-0128, CVE-2016-2118, Samba , mostly man-in-the-middle, denial of service , adbindproxy, CentrifyDC-adbindproxy, CentrifyDC-samba, badlock.org
Internal Comments
Article Edits
Bug #CSSSUP-7416
Solution ID
Knowledge Base Article Details
Applies to:

Centrify-Enabled Samba versions 4.5.9 ( based on Samba 3.6.25) and older.

Question:

What is the impact of Badlock (CVE-2016-0128/CVE-2016-2118) on Centrify-Enabled Samba and what are Centrify's plans to address this vulnerability?

Answer:

"Badlock" or CVE-2016-0128 / CVE-2016-2118 involve vulnerabilities that affect Samba and Microsoft Windows.  The nature of these vulnerabilities are categorized as “man-in-the-middle" or "denial of service" attacks.  As this vulnerability impacts all versions of stock Samba 4.1 and earlier and the last release of Centrify-enabled Samba is 4.5.9 which is based on stock Samba 3.6.25, Centrify-enabled Samba is affected by this vulnerability.

Samba.org released security updates to fix the Badlock vulnerabilities in three versions of Samba:  4.2.11, 4.3.8, and 4.4.2.  Samba.org does not plan to patch any earlier versions of Samba.

Centrify does not plan to patch any of its versions of Samba, Instead Centrify is extending CentrifyDC-adbindproxy to enable Linux and UNIX computers running Centrify Server Suite to use the stock Samba distribution, without any patches to the Samba code by Centrify. 

Centrify believes this is a better, more sustainable approach to enabling its Server Suite customers to use Stock Samba v4.2.11 and later distributions. 

Centrify Server Suite versions 2013.3 and later will be supported by these updates to CentrifyDC-adbindproxy which will be distributed on the Centrify web site as a separate package.

Centrify will no longer include a Samba binary with Server Suite, nor distribute any Samba code through Server Suite or any other mechanism.
The reason for this is the export of software cryptography from the United States is subject to the U.S. Export Administration Regulations administered by the Bureau of Industry and Security in the U.S. Department of Commerce.  Because of export control requirements related to the cryptographic library used by Samba, Centrify can no longer provide a Samba binary to its customers.

CentrifyDC-adbindproxy for the following Unix distributions are available as of May 31, 2016.  Operating system version support is as specified for Centrify Server Suite 2013.3 and later.
  • Red Hat Enterprise Linux (x86, x86_64, and PPC)
  • SUSE Linux Enterprise
  • Ubuntu
  • CentOS
  • AIX 
The target release dates for support of Solaris and HP-UX have not been determined, but will follow Linux support as rapidly as possible. 

Please Note: This KB will be updated as progress on the update to CentrifyDC-adbindproxy is made.

Additional NON-Centrify references provided for your information: 

Samba

https://www.samba.org
https://www.samba.org/samba/latest_news.html#4.4.2
https://www.samba.org/samba/security/CVE-2016-2118.html
https://wiki.samba.org/index.php/Samba_4.2_Features_added/changed

Microsoft

https://technet.microsoft.com/library/security/MS16-047

RedHat

https://access.redhat.com/security/vulnerabilities/badlock

Badlock

http://badlock.org/
 
Created ByJeff Wellman
Solution CreatorJeff Wellman
DraftNot Checked
LithiumId
Lithium_Board_Id
Lithium_View_Href
Tags 
Category 
ArticleImage
Known IssuesNot Checked
Powered by