SMB Signing Not Required (CVE-2016-2115)
**Disclaimer**: Please note that the following actions involve making changes to your system. We provide this information for guidance purposes only. We are not responsible for any damage or loss that may occur as a result of implementing these steps. It is recommended to proceed with caution and have a valid backup of your server before making any modifications.
Vulnerability Details
The remote SMB server is configured without the requirement for message signing. This absence of a signing mandate creates a vulnerability that can be exploited by an unauthenticated, remote attacker. Such an attacker could leverage this weakness to initiate man-in-the-middle attacks, targeting the communication processes of the SMB server, potentially intercepting, or manipulating data transmitted between the server and its clients.
Severity Rating
Medium
How to Verify if a Device is Vulnerable
Use Nessus plugin ID 57608 to scan the device for vulnerability.
How to Fix
Ensure that message signing is enabled in the host’s settings. For Windows systems, this option is typically located in the policy setting labeled ‘Microsoft network server: Digitally sign communications (always)’.
Guide
If you’re a system administrator, log into the Windows Server with administrative privileges. At the Run prompt, enter ‘gpedit.msc’ to access the Local Group Policy Editor.
Navigate to: Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options.
Here, locate ‘Microsoft network server: Digitally sign communications (always)’. This setting is typically disabled by default. Double-click on it and switch its status to enabled.
Rollback
Simply check off the Disabled and apply.
How to Verify the Fix
- Rescan the device with Nessus plugin ID 57608 and check for the vulnerability.
Preventative Measures
Configure your SMB servers and clients to enable and require SMB signing. This ensures data integrity and authenticity, reducing the risk of man-in-the-middle attacks.