Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472

Andrew Bartlett abartlet at
Wed Sep 16 05:51:20 UTC 2020

This isn't on the bug
because it isn't at that point yet, and isn't a MR as I've not even
compiled it, but ideas (done with Gary) for mitigation for those who
must run with schannel are:

Ensure that the password set via ServerSetPassword2 is of non-zero

Check the password does not have zero bytes in it.

Check that the challenge in ServerAuthenticate3 does not have repeating
patterns in the first 3 bytes and repeating 0s in the computed

This should make false positives pretty rare, while working with the
failure mode of the cipher.

See for a really readable
description of the issue.

I'm going home shortly but will keep looking at this and will be
available tonight.

I think Samba 4.13 should ship without the option to turn off schannel
- just remove it, assuming we can make the tests still go.

Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT - Expert Open Source

-------------- next part --------------
A non-text attachment was scrubbed...
Name: CVE-2020-1472-ideas.patch
Type: text/x-patch
Size: 4078 bytes
Desc: not available
URL: <>

More information about the samba-technical mailing list