Samba impact of "ZeroLogin" CVE-2020-1472

Karolin Seeger kseeger at samba.org
Wed Sep 16 12:57:06 UTC 2020


The following applies to Samba used as domain controller only.

(Both as classic/NT4-style and active direcory DC.)



Samba users have reported that the exploit for "ZeroLogin" passes

against Samba.



Samba has some protection for this issue because since Samba 4.8 we have

set a default of 'server schannel = yes'.



Users who have changed this default are hereby warned that Samba

implements the AES netlogon protocol faithfully and so falls to the same

fault in the cryptosystem design.



Vendors supporting Samba 4.7 and below should patch their installations

and packages to change this default, as values of:



 - server schannel = no

 - server schannel = auto



are NOT secure and we expect can result in full domain compromise,

particularly for AD domains.



Some public exploit tests, such as

https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py

only confirm that a ServerAuthenticate3 call operates, but not that the

ServerPasswordSet2 call required to exploit the domain also operates.



We are well aware of administrator concern and are looking to provide

patches that provide mitigation here, to make the ServerAuthenticate3

call also fail.



We, like Microsoft, suggest that 'server schannel = yes' must be set for

secure operation. This is our equivalent to Microsoft's

FullSecureChannelProtection=1 registry key, with the difference

that it's already enabled by default in all Samba major versions

released in the last three years.


Finally, we would note that Samba's audit logging will record

ServerAuthenticate3 and ServerPasswordSet calls including the source IP,

details will be provided later on the options to enable.



There seem to be some legacy software, which still requires

"server schannel = auto". See the following bugs:

 - https://bugzilla.samba.org/show_bug.cgi?id=11892

 - https://bugzilla.samba.org/show_bug.cgi?id=13464

 - https://bugzilla.samba.org/show_bug.cgi?id=13949



We'll add additional hardening that will allow

administrators to use "server schannel = yes" globally

and define exceptions only for specified computer accounts.



Our progress can be monitored via this bug:

 - https://bugzilla.samba.org/show_bug.cgi?id=14497


-- 
Karolin Seeger			https://samba.org/~kseeger/
Release Manager Samba Team	https://samba.org
Team Lead Samba SerNet		https://sernet.de



More information about the samba-technical mailing list