Applies to:Centrify-Enabled Samba versions 4.5.9 ( based on Samba 3.6.25) and older.
Question:What is the impact of Badlock (CVE-2016-0128/CVE-2016-2118) on Centrify-Enabled Samba and what are Centrify's plans to address this vulnerability?
Answer:"Badlock" or CVE-2016-0128 / CVE-2016-2118 involve vulnerabilities that affect Samba and Microsoft Windows. The nature of these vulnerabilities are categorized as “man-in-the-middle" or "denial of service" attacks. As this vulnerability impacts all versions of stock Samba 4.1 and earlier and the last release of Centrify-enabled Samba is 4.5.9 which is based on stock Samba 3.6.25, Centrify-enabled Samba is affected by this vulnerability.
Samba.org released security updates to fix the Badlock vulnerabilities in three versions of Samba: 4.2.11, 4.3.8, and 4.4.2. Samba.org does not plan to patch any earlier versions of Samba.
Centrify does not plan to patch any of its versions of Samba, Instead Centrify is extending CentrifyDC-adbindproxy to enable Linux and UNIX computers running Centrify Server Suite to use the stock Samba distribution, without any patches to the Samba code by Centrify.
Centrify believes this is a better, more sustainable approach to enabling its Server Suite customers to use Stock Samba v4.2.11 and later distributions.
Centrify Server Suite versions 2013.3 and later will be supported by these updates to CentrifyDC-adbindproxy which will be distributed on the Centrify web site as a separate package.
Centrify will no longer include a Samba binary with Server Suite, nor distribute any Samba code through Server Suite or any other mechanism.
The reason for this is the export of software cryptography from the United States is subject to the U.S. Export Administration Regulations administered by the Bureau of Industry and Security in the U.S. Department of Commerce. Because of export control requirements related to the cryptographic library used by Samba, Centrify can no longer provide a Samba binary to its customers.
CentrifyDC-adbindproxy for the following Unix distributions are available as of May 31, 2016. Operating system version support is as specified for Centrify Server Suite 2013.3 and later.
- Red Hat Enterprise Linux (x86, x86_64, and PPC)
- SUSE Linux Enterprise
- Ubuntu
- CentOS
- AIX
The target release dates for support of Solaris and HP-UX have not been determined, but will follow Linux support as rapidly as possible.
Please Note: This KB will be updated as progress on the update to CentrifyDC-adbindproxy is made.
Additional NON-Centrify references provided for your information:
Samba
https://www.samba.org
https://www.samba.org/samba/latest_news.html#4.4.2
https://www.samba.org/samba/security/CVE-2016-2118.html
https://wiki.samba.org/index.php/Samba_4.2_Features_added/changed
Microsoft
https://technet.microsoft.com/library/security/MS16-047
RedHat
https://access.redhat.com/security/vulnerabilities/badlock
Badlock
http://badlock.org/