[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Fri Sep 18 12:10:18 UTC 2020
The branch, master has been updated
via bfb8593 Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases.
via 7005929 NEWS[4.12.7]: Samba 4.12.7 Available for Download
via b43f523 bla
from bdd53f1 NEWS[4.13.0rc5]: Samba 4.13.0rc5 Available for Download
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit bfb8593fd26fd5a611aeb5bcc9292f78190ecc37
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Sep 18 14:05:18 2020 +0200
Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases.
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit 700592980f58dc20461d4b5d7e2f743905861361
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Sep 18 13:31:18 2020 +0200
NEWS[4.12.7]: Samba 4.12.7 Available for Download
Signed-off-by: Karolin Seeger <kseeger at samba.org>
commit b43f523e7bdb74f9f37172705c8ab17627e4aef3
Author: Karolin Seeger <kseeger at samba.org>
Date: Fri Sep 18 13:54:00 2020 +0200
bla
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.12.7.html | 102 ++++++++++++
history/security.html | 19 +++
posted_news/20200918-115405.4.12.7.body.html | 36 ++++
posted_news/20200918-115405.4.12.7.headline.html | 4 +
security/CVE-2020-1472.html | 200 +++++++++++++++++++++++
6 files changed, 364 insertions(+)
create mode 100644 history/samba-4.12.7.html
create mode 100644 posted_news/20200918-115405.4.12.7.body.html
create mode 100644 posted_news/20200918-115405.4.12.7.headline.html
create mode 100644 security/CVE-2020-1472.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 9aac8ce..ace0b76 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,6 +9,7 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.12.7.html">samba-4.12.7</a></li>
<li><a href="samba-4.12.6.html">samba-4.12.6</a></li>
<li><a href="samba-4.12.5.html">samba-4.12.5</a></li>
<li><a href="samba-4.12.4.html">samba-4.12.4</a></li>
@@ -16,6 +17,7 @@
<li><a href="samba-4.12.2.html">samba-4.12.2</a></li>
<li><a href="samba-4.12.1.html">samba-4.12.1</a></li>
<li><a href="samba-4.12.0.html">samba-4.12.0</a></li>
+ <li><a href="samba-4.11.13.html">samba-4.11.13</a></li>
<li><a href="samba-4.11.12.html">samba-4.11.12</a></li>
<li><a href="samba-4.11.11.html">samba-4.11.11</a></li>
<li><a href="samba-4.11.10.html">samba-4.11.10</a></li>
@@ -29,6 +31,7 @@
<li><a href="samba-4.11.2.html">samba-4.11.2</a></li>
<li><a href="samba-4.11.1.html">samba-4.11.1</a></li>
<li><a href="samba-4.11.0.html">samba-4.11.0</a></li>
+ <li><a href="samba-4.10.18.html">samba-4.10.18</a></li>
<li><a href="samba-4.10.17.html">samba-4.10.17</a></li>
<li><a href="samba-4.10.16.html">samba-4.10.16</a></li>
<li><a href="samba-4.10.15.html">samba-4.10.15</a></li>
diff --git a/history/samba-4.12.7.html b/history/samba-4.12.7.html
new file mode 100644
index 0000000..e9d7bd0
--- /dev/null
+++ b/history/samba-4.12.7.html
@@ -0,0 +1,102 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.12.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.12.7 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.12.7.tar.gz">Samba 4.12.7 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.12.7.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.12.6-4.12.7.diffs.gz">Patch (gzipped) against Samba 4.12.6</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.12.6-4.12.7.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.12.7
+ September 18, 2020
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
+
+The following applies to Samba used as domain controller only (most
+seriously the Active Directory DC, but also the classic/NT4-style DC).
+
+Installations running Samba as a file server only are not directly
+affected by this flaw, though they may need configuration changes to
+continue to talk to domain controllers (see "file servers and domain
+members" below).
+
+The netlogon protocol contains a flaw that allows an authentication
+bypass. This was reported and patched by Microsoft as CVE-2020-1472.
+Since the bug is a protocol level flaw, and Samba implements the
+protocol, Samba is also vulnerable.
+
+However, since version 4.8 (released in March 2018), the default
+behaviour of Samba has been to insist on a secure netlogon channel,
+which is a sufficient fix against the known exploits. This default is
+equivalent to having 'server schannel = yes' in the smb.conf.
+
+Therefore versions 4.8 and above are not vulnerable unless they have
+the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
+
+Samba versions 4.7 and below are vulnerable unless they have 'server
+schannel = yes' in the smb.conf.
+
+Note each domain controller needs the correct settings in its smb.conf.
+
+Vendors supporting Samba 4.7 and below are advised to patch their
+installations and packages to add this line to the [global] section if
+their smb.conf file.
+
+The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
+'FullSecureChannelProtection=1' registry key, the introduction of
+which we understand forms the core of Microsoft's fix.
+
+Some domains employ third-party software that will not work with a
+'server schannel = yes'. For these cases patches are available that
+allow specific machines to use insecure netlogon. For example, the
+following smb.conf:
+
+ server schannel = yes
+ server require schannel:triceratops$ = no
+ server require schannel:greywacke$ = no
+
+will allow only "triceratops$" and "greywacke$" to avoid schannel.
+
+More details can be found here:
+https://www.samba.org/samba/security/CVE-2020-1472.html
+
+
+Changes since 4.12.6
+--------------------
+
+o Jeremy Allison <jra at samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
+ netr_ServerPasswordSet2 against unencrypted passwords.
+
+o Günther Deschner <gd at samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
+ "server require schannel:WORKSTATION$ = no" about unsecure configurations.
+
+o Gary Lockyer <gary at catalyst.net.nz>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
+ client challenge.
+
+o Stefan Metzmacher <metze at samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
+ challenges in netlogon_creds_server_init()
+ "server require schannel:WORKSTATION$ = no".
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 3a1e672..92ac61e 100755
--- a/history/security.html
+++ b/history/security.html
@@ -26,6 +26,25 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>18 Sep 2020</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.12.6-security-2020-09-18.patch">
+ patch for Samba 4.12.6</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.11.12-security-2020-09-18.patch">
+ patch for Samba 4.11.12</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.10.17-security-2020-09-18.patch">
+ patch for Samba 4.10.17</a><br />
+ </td>
+ <td>CVE-2020-1472.
+ Please see announcements for details.
+ </td>
+ <td>Please refer to the advisory.</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-1472">CVE-2020-1472</a>.
+ </td>
+ <td><a href="/samba/security/CVE-2020-1472.html">Announcement</a>,
+ </td>
+ </tr>
+
<tr>
<td>02 Jul 2020</td>
<td><a href="/samba/ftp/patches/security/samba-4.12.3-security-2020-07-02.patch">
diff --git a/posted_news/20200918-115405.4.12.7.body.html b/posted_news/20200918-115405.4.12.7.body.html
new file mode 100644
index 0000000..d5a58d0
--- /dev/null
+++ b/posted_news/20200918-115405.4.12.7.body.html
@@ -0,0 +1,36 @@
+<!-- BEGIN: posted_news/20200918-115405.4.12.7.body.html -->
+<h5><a name="4.12.7">18 September 2020</a></h5>
+<p class=headline>Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2020-1472.html">CVE-2020-1472</a>
+(Unauthenticated domain takeover via netlogon ("ZeroLogon")).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
+The source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.12.7.tar.gz">downloaded
+now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.12.6-4.12.7.diffs.gz">patch
+against Samba 4.12.6</a> is also available.</br>
+See <a href="https://www.samba.org/samba/history/samba-4.12.7.html">the 4.12.7
+release notes </a> for more info.</br>
+The source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.11.13.tar.gz">downloaded
+now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.11.12-4.11.13.diffs.gz">patch
+against Samba 4.11.13</a> is also available.</br>
+See <a href="https://www.samba.org/samba/history/samba-4.11.13.html">the 4.11.13
+release notes</a> for more info.</br>
+The source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.10.18.tar.gz">downloaded
+now</a>.</br>
+A <a
+href="https://download.samba.org/pub/samba/patches/samba-4.10.17-4.10.18.diffs.gz">patch
+against Samba 4.10.17</a> is also available.</br>
+See <a href="https://www.samba.org/samba/history/samba-4.10.18.html">the release
+4.10.18 release notes</a> for more info.</br>
+</p>
+<!-- END: posted_news/20200918-115405.4.12.7.body.html -->
diff --git a/posted_news/20200918-115405.4.12.7.headline.html b/posted_news/20200918-115405.4.12.7.headline.html
new file mode 100644
index 0000000..0a3bef7
--- /dev/null
+++ b/posted_news/20200918-115405.4.12.7.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20200918-115405.4.12.7.headline.html -->
+<li> 18 September 2020 <a href="#4.12.7">Samba 4.12.7, 4.11.13 and 4.10.18
+Security Releases Available</a></li>
+<!-- END: posted_news/20200918-115405.4.12.7.headline.html -->
diff --git a/security/CVE-2020-1472.html b/security/CVE-2020-1472.html
new file mode 100644
index 0000000..bbe3ca4
--- /dev/null
+++ b/security/CVE-2020-1472.html
@@ -0,0 +1,200 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2020-1472.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Unauthenticated domain takeover via netlogon ("ZeroLogon")
+==
+==
+== CVE ID#: CVE-2020-1472
+==
+== Versions: Samba 4.0 and later
+==
+== Summary: An unauthenticated attacker on the network can gain
+== administrator access by exploiting a netlogon
+== protocol flaw.
+===========================================================
+
+===========
+Description
+===========
+
+The following applies to Samba used as domain controller only (most
+seriously the Active Directory DC, but also the classic/NT4-style DC).
+
+Installations running Samba as a file server only are not directly
+affected by this flaw, though they may need configuration changes to
+continue to talk to domain controllers (see "file servers and domain
+members" below).
+
+The netlogon protocol contains a flaw that allows an authentication
+bypass. This was reported and patched by Microsoft as CVE-2020-1472.
+Since the bug is a protocol level flaw, and Samba implements the
+protocol, Samba is also vulnerable.
+
+However, since version 4.8 (released in March 2018), the default
+behaviour of Samba has been to insist on a secure netlogon channel,
+which is a sufficient fix against the known exploits. This default is
+equivalent to having 'server schannel = yes' in the smb.conf.
+
+Therefore versions 4.8 and above are not vulnerable unless they have
+the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
+
+Samba versions 4.7 and below are vulnerable unless they have 'server
+schannel = yes' in the smb.conf.
+
+Note each domain controller needs the correct settings in its smb.conf.
+
+Vendors supporting Samba 4.7 and below are advised to patch their
+installations and packages to add this line to the [global] section if
+their smb.conf file.
+
+The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
+'FullSecureChannelProtection=1' registry key, the introduction of
+which we understand forms the core of Microsoft's fix.
+
+Consequences
+============
+
+The exploitation of this issue is by changing the a server password.
+In an AD domain changing a DC password allows full password database
+disclosure including the krbtgt password, unsalted MD4 password hash
+(the 'NT Hash') for each user, and the LM password hash if stored.
+(Via DRS replication).
+
+The krbtgt password allows the attacker to issue a 'golden ticket' to
+themselves and return to take over the domain at any point in the
+future.
+
+Other consequences includes disclosure of session keys, as well as
+general denial of service to the trust account selected.
+
+Samba NT4-like / classic domains
+================================
+
+In NT4-like domains Samba does not provide a replication service (this
+is done at lower layers, like OpenLDAP), but changing machine account
+passwords can allow the attacker limited rights, similar to any other
+member server or trusted domain. This includes disclosure of session
+keys and inter-domain trust passwords (only), as well as general
+denial of service to the domain member selected.
+
+Therefore while still real, the risk is lower in these domains than
+for the AD DC.
+
+File servers and domain members
+===============================
+
+File servers and domain members do not run the NETLOGON service in
+supported Samba versions and only need to ensure that they have not
+set 'client schannel = no' for continued operation against secured DCs
+such as Samba 4.8 and later and Windows DCs in 2021. Users running
+Samba as a file server should still patch to ensure the server-side
+mitigations (banning certain un-random values) do not very rarely
+impact service.
+
+Allow listed exceptions
+=======================
+
+Some domains employ third-party software that will not work with a
+'server schannel = yes'. For these cases patches are available that
+allow specific machines to use insecure netlogon. For example, the
+following smb.conf:
+
+ server schannel = yes
+ server require schannel:triceratops$ = no
+ server require schannel:greywacke$ = no
+
+will allow only "triceratops$" and "greywacke$" to avoid schannel.
+
+Exploitability of Samba despite 'server schannel = yes'
+=======================================================
+
+The published proof of concept exploit for this issue only attempts to
+authenticate to the NetLogon service but does not attempt a takeover of
+the domain.
+
+On domains with 'server schannel = yes', these tests claim to show a
+vulnerability against Samba despite being unable to access any
+privileged functionality.
+
+This Samba release adds additional server checks for the protocol
+attack in the client-specified challenge that provides some protection
+when 'server schannel = no/auto' and avoids this false-positive
+result.
+
+These server checks are identical to the server logic added by
+Microsoft for their patch for the Windows server code for
+CVE-2020-1472. The Samba Team would like to thank Microsoft for their
+disclosure of the method used to prevent the proof of concept exploit
+code from working against such a hardened server.
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing this defect are available at:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
+
+==========
+Workaround
+==========
+
+Users of versions of Samba before 4.8 should set
+
+ server schannel = yes
+
+in their smb.conf and restart Samba (on all domain controllers!)
+
+Users of versions 4.8 and above should ensure their smb.conf either
+a) has the "server schannel = yes" line, or
+b) has no "server schannel" line.
+
+If in doubt, add "server schannel = yes" to your smb.conf.
+
+=======
+Credits
+=======
+
+This problem was originally discovered by Tom Tervoort of Secura,
+though it was not successfully reported to the Samba team before its
+public disclosure.
+
+Stefan Metzmacher made the changes to Samba 4.8 that preemptively
+dodge this bug in default installs.
+
+Andrew Bartlett, Gary Lockyer, Günther Deschner, Jeremy Allison, and
+Stefan Metzmacher have triaged the bug and written patches and tests.
+
+This advisory written by Andrew Bartlett and Douglas Bagnall.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list