Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472

Andrew Bartlett abartlet at
Wed Sep 16 06:05:52 UTC 2020

On Wed, 2020-09-16 at 17:51 +1200, Andrew Bartlett via samba-technical
> This isn't on the bug
> because it isn't at that point yet, and isn't a MR as I've not even
> compiled it, but ideas (done with Gary) for mitigation for those who
> must run with schannel are:
> Ensure that the password set via ServerSetPassword2 is of non-zero
> length.
> Check the password does not have zero bytes in it.
> Check that the challenge in ServerAuthenticate3 does not have
> repeating
> patterns in the first 3 bytes and repeating 0s in the computed
> response.
> This should make false positives pretty rare, while working with the
> failure mode of the cipher.
> See for a really
> readable
> description of the issue.
> I'm going home shortly but will keep looking at this and will be
> available tonight.
> I think Samba 4.13 should ship without the option to turn off
> schannel
> - just remove it, assuming we can make the tests still go.

We could also make ServerSetPassword2 absolutely require schannel for
'server schannel = auto', impacted servers would still be able to
ServerAuthenticate3, just not rotate their passwords.

Andrew Bartlett

> Andrew Bartlett
Andrew Bartlett
Authentication Developer, Samba Team
Samba Development and Support, Catalyst IT - Expert Open Source

More information about the samba-technical mailing list