Ideas (other than just mandetory schannel) for ZeroLogin CVE-2020-1472

Stefan Metzmacher metze at
Wed Sep 16 11:29:16 UTC 2020

Am 16.09.20 um 07:51 schrieb Andrew Bartlett via samba-technical:
> This isn't on the bug
> because it isn't at that point yet, and isn't a MR as I've not even
> compiled it, but ideas (done with Gary) for mitigation for those who
> must run with schannel are:
> Ensure that the password set via ServerSetPassword2 is of non-zero
> length.
> Check the password does not have zero bytes in it.
> Check that the challenge in ServerAuthenticate3 does not have repeating
> patterns in the first 3 bytes and repeating 0s in the computed
> response.

MS-NRPC has added recently:

7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-
key negotiation without further processing of the following steps.<70>

I'll add a similar check.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <>

More information about the samba-technical mailing list