Think you have a false positive on this rule?

Sid 1-45074

Message

SERVER-SAMBA Samba unsigned connections attempt

Summary

This event is generated when an SMB connection is not correctly enforced to be signed, which may lead to connection hijacking.

Impact

Attempted User Privilege Gain

Detailed information

There are specific Samba commands that doesn't enforce a signing of the Samba connection when they explicitly require to use it. This lack of enforcement, could lead to a hijacking of the connections since they are not encrypted and the information could be modified intentionally by a man in the middle attack.

Affected systems

  • Samba servers versions 3.0.25 to 4.6.7

Ease of attack

Hard

False positives

N/A

False negatives

N/A

Corrective action

The vendor states that the signing can be enforced by explicitly using '--signing=required' on the commandline or "client signing = required" in smb.conf. Is also suggested to ugprade Samba to version 4.6.8, 4.5.14 or 4.4.16

Contributors

  • Cisco's Talos Intelligence Group

Additional References

  • samba.org/samba/security/CVE-2017-12150.html