[Samba] Does CVE-2020-1472 impact samba AD domains?

Andrew Bartlett abartlet at samba.org
Wed Sep 16 08:13:27 UTC 2020

On Tue, 2020-09-15 at 19:33 -0400, Tom Diehl via samba wrote:
> Hi,
> I saw 
> https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/
> and 
> https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
> today and I am wondering what impact if any this has on samba AD
> domains in
> particular and samba in general?

We expect it would be catastrophic for domains, such as those running
Samba 4.7 and earlier, that have 'server schannel = auto'.

I've not run a full exploit against Samba, but spent this afternoon in
the code and can't find any mitigating factors so far. :-(

> Is samba using the "vulnerable Netlogon secure channel connection"?
> Will samba
> continue to work in mixed windows AD DCs and samba AD DCs after the
> second release that
> is planned for Q1 2021 by MS?

Samba has used, and since Samba 4.8 enforced by default RPC level
protection for the "Netlogon secure channel".  We call this schannel
and the default is 'server schannel = yes'.

We didn't have any particular insight but after the big push around
'badlock' we required session-level integrity on all our connections by
default, which has saved some drama here.

Andrew Bartlett

Andrew Bartlett                       https://samba.org/~abartlet/
Authentication Developer, Samba Team  https://samba.org
Samba Developer, Catalyst IT          

More information about the samba mailing list