Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

Samba and CVE-2020-1472 ("Zerologon")

Related Vulnerabilities: CVE-2020-1472  
Source 
                							

                <!--X-Body-Begin-->
<!--X-User-Header-->

oss-sec
mailing list archives
<!--X-User-Header-End-->
<!--X-TopPNI-->

By Date

By Thread

</form>

<!--X-TopPNI-End-->
<!--X-MsgBody-->
<!--X-Subject-Header-Begin-->
Samba and CVE-2020-1472 ("Zerologon")

<!--X-Subject-Header-End-->
<!--X-Head-of-Message-->

From: Douglas Bagnall &lt;douglas.bagnall () catalyst net nz&gt;

Date: Thu, 17 Sep 2020 10:43:53 +1200

<!--X-Head-of-Message-End-->
<!--X-Head-Body-Sep-Begin-->

<!--X-Head-Body-Sep-End-->
<!--X-Body-of-Message-->
In August, Microsoft patched CVE-2020-1472, which gives administrator
access to an unauthenticated user on a Domain Controller.  Microsoft gave
it a CVSS score of 10.

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/CVE-2020-1472#ID0EUGAC

The Samba security team was not contacted before the announcement, which
is very sparse on detail, and was unable to learn much through an
established (and generally quite useful) channel for discussing Microsoft
protocols:

https://lists.samba.org/archive/cifs-protocol/2020-August/003520.html
https://lists.samba.org/archive/cifs-protocol/2020-August/003521.html   

On September 14, Secura, who found the vulnerability, released a blog
post, a whitepaper, and an exploit:

https://www.secura.com/blog/zero-logon

The bug is in the Netlogon *protocol*, not an implementation flaw, so any
implementation that correctly follows the protocol will be vulnerable.
Samba is vulnerable.

HOWEVER, since Samba 4.8 (2018-03), by default Samba will insist on a
secure netlogon channel

https://www.samba.org/samba/docs/current/man-html/smb.conf.5.html#SERVERSCHANNEL

The default of "server schannel = yes" gives the same protection as
Microsoft's "FullSecureChannelProtection=1" registry key (which is the
CVE-2020-1472 fix). I believe this mitigation was introduced in light of
an increased awareness of protocol level bugs following BadLock, and
particular credit should go to Stefan Metzmacher for [sort of] fixing this
bug two years before its discovery.

That is not the end of the story, though. Many distros have very old
versions of Samba, and many people set "server schannel = auto", because
who doesn't like auto, or because a third party thing requires it.

Patches allowing more fine-grained schannel policy for these third-party
cases are being worked on right now.

Distros: use supported versions of Samba!

People stuck with old versions of a Samba Domain Controller: set "server
schannel = yes" in your smb.conf, now. For you, this is a low effort
potentially catastrophic 0-day.

Follow https://bugzilla.samba.org/show_bug.cgi?id=14497

regards,
Douglas Bagnall

<!--X-Body-of-Message-End-->
<!--X-MsgBody-End-->
<!--X-Follow-Ups-->

<!--X-Follow-Ups-End-->
<!--X-References-->
<!--X-References-End-->
<!--X-BotPNI-->

By Date

By Thread

Current thread:

Samba and CVE-2020-1472 ("Zerologon") Douglas Bagnall (Sep 17)

<!--X-BotPNI-End-->
<!--X-User-Footer-->
<!--X-User-Footer-End-->

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started