Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472
Andrew Bartlett
abartlet at samba.org
Wed Sep 16 06:05:52 UTC 2020
On Wed, 2020-09-16 at 17:51 +1200, Andrew Bartlett via samba-technical
wrote:
> This isn't on the bug
> https://bugzilla.samba.org/show_bug.cgi?id=14497
> because it isn't at that point yet, and isn't a MR as I've not even
> compiled it, but ideas (done with Gary) for mitigation for those who
> must run with schannel are:
>
> Ensure that the password set via ServerSetPassword2 is of non-zero
> length.
>
> Check the password does not have zero bytes in it.
>
> Check that the challenge in ServerAuthenticate3 does not have
> repeating
> patterns in the first 3 bytes and repeating 0s in the computed
> response.
>
> This should make false positives pretty rare, while working with the
> failure mode of the cipher.
>
> See https://www.secura.com/pathtoimg.php?id=2055 for a really
> readable
> description of the issue.
>
> I'm going home shortly but will keep looking at this and will be
> available tonight.
>
> I think Samba 4.13 should ship without the option to turn off
> schannel
> - just remove it, assuming we can make the tests still go.
We could also make ServerSetPassword2 absolutely require schannel for
'server schannel = auto', impacted servers would still be able to
ServerAuthenticate3, just not rotate their passwords.
Andrew Bartlett
> Andrew Bartlett
--
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list