Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472
abartlet at samba.org
Wed Sep 16 05:51:20 UTC 2020
This isn't on the bug
because it isn't at that point yet, and isn't a MR as I've not even
compiled it, but ideas (done with Gary) for mitigation for those who
must run with schannel are:
Ensure that the password set via ServerSetPassword2 is of non-zero
Check the password does not have zero bytes in it.
Check that the challenge in ServerAuthenticate3 does not have repeating
patterns in the first 3 bytes and repeating 0s in the computed
This should make false positives pretty rare, while working with the
failure mode of the cipher.
See https://www.secura.com/pathtoimg.php?id=2055 for a really readable
description of the issue.
I'm going home shortly but will keep looking at this and will be
I think Samba 4.13 should ship without the option to turn off schannel
- just remove it, assuming we can make the tests still go.
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4078 bytes
Desc: not available
More information about the samba-technical