Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 17 Sep 2020 10:43:53 +1200
From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz>
To: oss-security@...ts.openwall.com
Subject: Samba and CVE-2020-1472 ("Zerologon")

In August, Microsoft patched CVE-2020-1472, which gives administrator
access to an unauthenticated user on a Domain Controller.  Microsoft gave
it a CVSS score of 10.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1472#ID0EUGAC

The Samba security team was not contacted before the announcement, which
is very sparse on detail, and was unable to learn much through an
established (and generally quite useful) channel for discussing Microsoft
protocols:

https://lists.samba.org/archive/cifs-protocol/2020-August/003520.html
https://lists.samba.org/archive/cifs-protocol/2020-August/003521.html	

On September 14, Secura, who found the vulnerability, released a blog
post, a whitepaper, and an exploit:

https://www.secura.com/blog/zero-logon

The bug is in the Netlogon *protocol*, not an implementation flaw, so any
implementation that correctly follows the protocol will be vulnerable.
Samba is vulnerable.

HOWEVER, since Samba 4.8 (2018-03), by default Samba will insist on a
secure netlogon channel

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSCHANNEL

The default of "server schannel = yes" gives the same protection as
Microsoft's "FullSecureChannelProtection=1" registry key (which is the
CVE-2020-1472 fix). I believe this mitigation was introduced in light of
an increased awareness of protocol level bugs following BadLock, and
particular credit should go to Stefan Metzmacher for [sort of] fixing this
bug two years before its discovery.

That is not the end of the story, though. Many distros have very old
versions of Samba, and many people set "server schannel = auto", because
who doesn't like auto, or because a third party thing requires it.

Patches allowing more fine-grained schannel policy for these third-party
cases are being worked on right now.


Distros: use supported versions of Samba!

People stuck with old versions of a Samba Domain Controller: set "server
schannel = yes" in your smb.conf, now. For you, this is a low effort
potentially catastrophic 0-day.

Follow https://bugzilla.samba.org/show_bug.cgi?id=14497

regards,
Douglas Bagnall

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.