Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472
Andrew Bartlett
abartlet at samba.org
Wed Sep 16 10:02:30 UTC 2020
On Wed, 2020-09-16 at 18:05 +1200, Andrew Bartlett via samba-technical
wrote:
> On Wed, 2020-09-16 at 17:51 +1200, Andrew Bartlett via samba-
> technical
> wrote:
> > This isn't on the bug
> > https://bugzilla.samba.org/show_bug.cgi?id=14497
> > because it isn't at that point yet, and isn't a MR as I've not even
> > compiled it, but ideas (done with Gary) for mitigation for those
> > who
> > must run with schannel are:
> >
> > Ensure that the password set via ServerSetPassword2 is of non-zero
> > length.
> >
> > Check the password does not have zero bytes in it.
> >
> > Check that the challenge in ServerAuthenticate3 does not have
> > repeating
> > patterns in the first 3 bytes and repeating 0s in the computed
> > response.
> >
> > This should make false positives pretty rare, while working with
> > the
> > failure mode of the cipher.
> >
> > See https://www.secura.com/pathtoimg.php?id=2055 for a really
> > readable
> > description of the issue.
> >
> > I'm going home shortly but will keep looking at this and will be
> > available tonight.
> >
> > I think Samba 4.13 should ship without the option to turn off
> > schannel
> > - just remove it, assuming we can make the tests still go.
>
> We could also make ServerSetPassword2 absolutely require schannel for
> 'server schannel = auto', impacted servers would still be able to
> ServerAuthenticate3, just not rotate their passwords.
I need to finish up here in NZ for the night, but I wonder if someone
could write up an advisory at least so we can post something to samba-
announce ASAP?
Andrew Bartlett
--
Andrew Bartlett https://samba.org/~abartlet/
Authentication Developer, Samba Team https://samba.org
Samba Developer, Catalyst IT
https://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list