SERVER-SAMBA Samba unsigned connections attempt
This event is generated when an SMB connection is not correctly enforced to be signed, which may lead to connection hijacking.
Attempted User Privilege Gain
There are specific Samba commands that doesn't enforce a signing of the Samba connection when they explicitly require to use it. This lack of enforcement, could lead to a hijacking of the connections since they are not encrypted and the information could be modified intentionally by a man in the middle attack.
- Samba servers versions 3.0.25 to 4.6.7
Ease of attack
The vendor states that the signing can be enforced by explicitly using '--signing=required' on the commandline or "client signing = required" in smb.conf. Is also suggested to ugprade Samba to version 4.6.8, 4.5.14 or 4.4.16
- Cisco's Talos Intelligence Group