It was found that samba before 4.4.16, 4.5.x before 4.5.14, and 4.6.x before 4.6.8 did not enforce SMB signing when certain configuration options were enabled. A remote attacker could launch a man-in-the-middle attack and retrieve information in plain-text.
The product does not adequately verify the identity of actors at both ends of a communication channel, or does not adequately ensure the integrity of the channel, in a way that allows the channel to be accessed or influenced by an actor that is not an endpoint.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Samba | Samba | 3.0.25 (including) | 4.4.16 (excluding) |
| Samba | Samba | 4.5.0 (including) | 4.5.14 (excluding) |
| Samba | Samba | 4.6.0 (including) | 4.6.8 (excluding) |
| Red Hat Enterprise Linux 6 | RedHat | samba-0:3.6.23-45.el6_9 | * |
| Red Hat Enterprise Linux 6 | RedHat | samba4-0:4.2.10-11.el6_9 | * |
| Red Hat Enterprise Linux 7 | RedHat | samba-0:4.6.2-11.el7_4 | * |
| Red Hat Gluster Storage 3.3 for RHEL 6 | RedHat | samba-0:4.6.3-6.el6rhs | * |
| Red Hat Gluster Storage 3.3 for RHEL 7 | RedHat | samba-0:4.6.3-6.el7rhgs | * |
| Samba | Ubuntu | artful | * |
| Samba | Ubuntu | devel | * |
| Samba | Ubuntu | trusty | * |
| Samba | Ubuntu | upstream | * |
| Samba | Ubuntu | xenial | * |
| Samba | Ubuntu | zesty | * |