[Samba] Does CVE-2020-1472 impact samba AD domains?

Andrew Bartlett abartlet at samba.org
Wed Sep 16 05:27:46 UTC 2020 

Do note that to exploit this per the public description of the issue
you must be able to access ServerPasswordSet2, which is restricted to
sessions encrypted and SIGNED (this matters, the crypto is the
problem).

This is enforced by the default of 'require schannel = yes' since Samba
4.8.

Users who have changed this default are hereby warned that Samba
implements the AES netlogon protocol faithfully and so falls to the
same fault in the cryptosystem design.

Andrew Bartlett

On Wed, 2020-09-16 at 06:13 +0200, banda bassotti via samba wrote:
> Yes
> 
> $ ./zerologon_tester.py ap42 192.168.1.2
> Performing authentication attempts...
> =====================================================================
> =====================================================================
> =====================================================================
> =====================================================================
> =====================================================================
> =====================================================================
> =====================================================================
> =====================================================================
> ================================================================
> Success! DC can be fully compromised by a Zerologon attack.
> 
> $ dpkg -l samba\*|grep ^i
> ii  samba                    2:4.11.12+dfsg-0.1bionic1 amd64
>  SMB/CIFS file, print, and login server for Unix
> ii  samba-common             2:4.11.12+dfsg-0.1bionic1
> all          common
> files used by both the Samba server and client
> ii  samba-common-bin         2:4.11.12+dfsg-0.1bionic1
> amd64        Samba
> common files used by both the server and the client
> ii  samba-dsdb-modules:amd64 2:4.11.12+dfsg-0.1bionic1
> amd64        Samba
> Directory Services Database
> ii  samba-libs:amd64         2:4.11.12+dfsg-0.1bionic1
> amd64        Samba
> core libraries
> ii  samba-vfs-modules:amd64  2:4.11.12+dfsg-0.1bionic1
> amd64        Samba
> Virtual FileSystem plugins
> 
> Il giorno mer 16 set 2020 alle ore 01:33 Tom Diehl via samba <
> samba at lists.samba.org> ha scritto:
> 
> > Hi,
> > 
> > I saw
> > https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/
> > and
> > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
> > today and I am wondering what impact if any this has on samba AD
> > domains in
> > particular and samba in general?
> > 
> > Is samba using the "vulnerable Netlogon secure channel connection"?
> > Will
> > samba
> > continue to work in mixed windows AD DCs and samba AD DCs after the
> > second
> > release that
> > is planned for Q1 2021 by MS?
> > 
> > Regards,
> > 
> > --
> > Tom                     me at tdiehl.org
> > 
> > --
> > To unsubscribe from this list go to the following URL and read the
> > instructions:  https://lists.samba.org/mailman/options/samba
> > 
-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
https://catalyst.net.nz/services/samba

More information about the samba mailing list