Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list]
Date: Thu, 17 Sep 2020 10:43:53 +1200
From: Douglas Bagnall <>
Subject: Samba and CVE-2020-1472 ("Zerologon")

In August, Microsoft patched CVE-2020-1472, which gives administrator
access to an unauthenticated user on a Domain Controller.  Microsoft gave
it a CVSS score of 10.

The Samba security team was not contacted before the announcement, which
is very sparse on detail, and was unable to learn much through an
established (and generally quite useful) channel for discussing Microsoft

On September 14, Secura, who found the vulnerability, released a blog
post, a whitepaper, and an exploit:

The bug is in the Netlogon *protocol*, not an implementation flaw, so any
implementation that correctly follows the protocol will be vulnerable.
Samba is vulnerable.

HOWEVER, since Samba 4.8 (2018-03), by default Samba will insist on a
secure netlogon channel

The default of "server schannel = yes" gives the same protection as
Microsoft's "FullSecureChannelProtection=1" registry key (which is the
CVE-2020-1472 fix). I believe this mitigation was introduced in light of
an increased awareness of protocol level bugs following BadLock, and
particular credit should go to Stefan Metzmacher for [sort of] fixing this
bug two years before its discovery.

That is not the end of the story, though. Many distros have very old
versions of Samba, and many people set "server schannel = auto", because
who doesn't like auto, or because a third party thing requires it.

Patches allowing more fine-grained schannel policy for these third-party
cases are being worked on right now.

Distros: use supported versions of Samba!

People stuck with old versions of a Samba Domain Controller: set "server
schannel = yes" in your smb.conf, now. For you, this is a low effort
potentially catastrophic 0-day.


Douglas Bagnall

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.