Date: Thu, 17 Sep 2020 10:43:53 +1200 From: Douglas Bagnall <douglas.bagnall@...alyst.net.nz> To: oss-security@...ts.openwall.com Subject: Samba and CVE-2020-1472 ("Zerologon") In August, Microsoft patched CVE-2020-1472, which gives administrator access to an unauthenticated user on a Domain Controller. Microsoft gave it a CVSS score of 10. https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1472#ID0EUGAC The Samba security team was not contacted before the announcement, which is very sparse on detail, and was unable to learn much through an established (and generally quite useful) channel for discussing Microsoft protocols: https://lists.samba.org/archive/cifs-protocol/2020-August/003520.html https://lists.samba.org/archive/cifs-protocol/2020-August/003521.html On September 14, Secura, who found the vulnerability, released a blog post, a whitepaper, and an exploit: https://www.secura.com/blog/zero-logon The bug is in the Netlogon *protocol*, not an implementation flaw, so any implementation that correctly follows the protocol will be vulnerable. Samba is vulnerable. HOWEVER, since Samba 4.8 (2018-03), by default Samba will insist on a secure netlogon channel https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSCHANNEL The default of "server schannel = yes" gives the same protection as Microsoft's "FullSecureChannelProtection=1" registry key (which is the CVE-2020-1472 fix). I believe this mitigation was introduced in light of an increased awareness of protocol level bugs following BadLock, and particular credit should go to Stefan Metzmacher for [sort of] fixing this bug two years before its discovery. That is not the end of the story, though. Many distros have very old versions of Samba, and many people set "server schannel = auto", because who doesn't like auto, or because a third party thing requires it. Patches allowing more fine-grained schannel policy for these third-party cases are being worked on right now. Distros: use supported versions of Samba! People stuck with old versions of a Samba Domain Controller: set "server schannel = yes" in your smb.conf, now. For you, this is a low effort potentially catastrophic 0-day. Follow https://bugzilla.samba.org/show_bug.cgi?id=14497 regards, Douglas Bagnall
Powered by blists - more mailing lists
Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.
Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.