Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472
Andrew Bartlett
abartlet at samba.org
Wed Sep 16 05:51:20 UTC 2020
This isn't on the bug
https://bugzilla.samba.org/show_bug.cgi?id=14497
because it isn't at that point yet, and isn't a MR as I've not even
compiled it, but ideas (done with Gary) for mitigation for those who
must run with schannel are:
Ensure that the password set via ServerSetPassword2 is of non-zero
length.
Check the password does not have zero bytes in it.
Check that the challenge in ServerAuthenticate3 does not have repeating
patterns in the first 3 bytes and repeating 0s in the computed
response.
This should make false positives pretty rare, while working with the
failure mode of the cipher.
See https://www.secura.com/pathtoimg.php?id=2055 for a really readable
description of the issue.
I'm going home shortly but will keep looking at this and will be
available tonight.
I think Samba 4.13 should ship without the option to turn off schannel
- just remove it, assuming we can make the tests still go.
Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba
-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2020-1472-ideas.patch
Type: text/x-patch
Size: 4078 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20200916/508067b0/CVE-2020-1472-ideas.bin>
More information about the samba-technical
mailing list