Security News > 2021 > November > Samba update patches plaintext password plundering problem

Samba update patches plaintext password plundering problem
2021-11-12 19:59

That's where someone monitors the SMB1 traffic on your network, and replies to new users on your network to say, "Oh, really sorry, we're very old fashioned here. Please don't send encrypted passwords to log in, use plaintext passwords instead.".

Before you blame Samba for having had this bug stop to think that you shouldn't still be using SMB1 at all, and that Samba, like Windows, doesn't enable it by default.

Client NTLMv2 auth = no client lanman auth = yes client plaintext auth = yes client min protocol = NT1 # or lower.

Client NTLMv2 auth = yes client lanman auth = no client plaintext auth = no client min protocol = SMB2 02.

Notably, plaintext authentication is suppressed by default, meaning that Samba clients won't generate sniffable network packets containing plaintext passwords in the first place.

For Samba, consider adding an explicit client plaintext auth = no entry to your configuration file to make your intentions clear.


News URL

https://nakedsecurity.sophos.com/2021/11/12/samba-update-patches-plaintext-passwork-plundering-problem/

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
Samba 5 2 74 48 9 133