Samba impact of "ZeroLogon" CVE-2020-1472

The Samba team has informed about an issue that applies to Samba used as domain controller only (both as classic/NT4-style and active direcory DC). Please read the following text carefully, which we also publish here:

Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

  • server schannel = no
  • server schannel = auto

are NOT secure and we expect they can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.

There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: https://bugzilla.samba.org/show_bug.cgi?id=14497

Newsletter

SerNet's Samba newsletter informs you about all important developments and events with its main focus on new packages.

+ subscribe to Newsletter

RSS Feed

Don't miss any more SAMBA+ news? Read the latest in your feed reader of choice.

+ subscribe to RSS feed

SAMBA+ Shop

Buy software subscriptions and support budgets. SAMBA+ subscriptions are available for 1, 2 and 3 years at the SAMBA+ shop.

+ visit the US Shop ($)

+ visit the World Shop (€)

Contact us
Contact

We are here for you!

Our sales team is happy to help you with any questions about all Samba products and services from SerNet - personally and individually tailored to your needs.

You can call us directly at +1 (415) 248-7818
or outside the US at +49 551 370000-0.
Mail us at sales@remove-this.sernet.com.

Contact us!

linke Spalte
rechte Splate
captcha
* Mandatory Fields
Deutsch English Français