CVE-2016-2124: 
Samba vulnerability analysis and mitigation

CVE-2016-2124 affects Samba versions 3.0.0 to 4.15.1, involving a vulnerability in SMB1 authentication implementation. The vulnerability was discovered and researched by Stefan Metzmacher of SerNet and the Samba Team (Samba Advisory).

The vulnerability allows an attacker to downgrade a negotiated SMB1 client connection and its capabilities. While Kerberos authentication is only possible with SMB2/3 protocol or SMB1 using NT1 dialect with extended security (spnego), the protocol can be downgraded to older insecure dialects like CORE, COREPLUS/CORE+, LANMAN1, or LANMAN2 without mandatory SMB signing. Even with SMB signing required, downgrade to NT1 dialect remains possible if extended security is not negotiated. The vulnerability has a CVSS v3.1 base score of 5.9 (Medium) (NVD).

An attacker can retrieve plaintext passwords sent over the wire even when Kerberos authentication is required. This exposure occurs when specific configuration options are set together: client NTLMv2 auth = no, client lanman auth = yes, client plaintext auth = yes, and client min protocol = NT1 or lower (Samba Advisory).

To mitigate the vulnerability, ensure the following global smb.conf parameters are set to their default values: client lanman auth = no, client NTLMv2 auth = yes, client plaintext auth = no, and client min protocol = SMB2_02. Alternatively, use the '-k' command line option without the -U option to utilize an existing krb5 ccache. Patches addressing this vulnerability are available in Samba versions 4.15.2, 4.14.10, and 4.13.14 (Samba Advisory).