The Samba-Bugzilla – Attachment 16243 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
advisory v3, expands $VERSIONS, includes JRA feedback, and credits Günther
CVE-2020-1472-v3.txt (text/plain), 6.32 KB, created by
Douglas Bagnall
on 2020-09-18 07:36:06 UTC
(
hide
)
Description:
advisory v3, expands $VERSIONS, includes JRA feedback, and credits Günther
Filename:
MIME Type:
Creator:
Douglas Bagnall
Created:
2020-09-18 07:36:06 UTC
Size:
6.32 KB
patch
obsolete
>=========================================================== >== Subject: Unauthenticated domain takeover via netlogon ("ZeroLogon") >== >== >== CVE ID#: CVE-2020-1472 >== >== Versions: Samba 4.0 and later >== >== Summary: An unauthenticated attacker on the network can gain >== administrator access by exploiting a netlogon >== protocol flaw. >=========================================================== > >=========== >Description >=========== > >The following applies to Samba used as domain controller only (most >seriously the Active Directory DC, but also the classic/NT4-style DC). >Installations running Samba as a file server only are not directly >affected by this flaw, though they may need configuration changes to >continue to talk to domain controllers (see "file servers and domain >members" below). > >The netlogon protocol contains a flaw that allows an authentication >bypass. This was reported and patched by Microsoft as CVE-2020-1472. >Since the bug is a protocol level flaw, and Samba implements the >protocol, Samba is also vulnerable. > >However, since version 4.8 (released in March 2018), the default >behaviour of Samba has been to insist on a secure netlogon channel, >which is a sufficient fix against the known exploits. This default is >equivalent to having 'server schannel = yes' in the smb.conf. >Therefore versions 4.8 and above are not vulnerable unless they have >the smb.conf lines 'server schannel = no' or 'server schannel = auto'. > >Samba versions 4.7 and below are vulnerable unless they have 'server >schannel = yes' in the smb.conf. > >Vendors supporting Samba 4.7 and below are advised to patch their >installations and packages to add this line to the [global] section if >their smb.conf file. > >The 'server schannel = yes' smb.conf line is equivalent to Microsoft's >'FullSecureChannelProtection=1' registry key, the introduction of >which we understand forms the core of Microsoft's fix. > >Consequences >============ > >The exploitation of this issue is by changing the a server password. >In an AD domain changing a DC password allows full password database >disclosure including the krbtgt password, unsalted MD4 password hash >(the 'NT Hash') for each user, and the LM password hash if stored. >(Via DRS replication). > >The krbtgt password allows the attacker to issue a 'golden ticket' to >themselves and return to take over the domain at any point in the >future. > >Other consequences includes disclosure of session keys, as well as >general denial of service to the trust account selected. > >Samba NT4-like / classic domains >================================ > >In NT4-like domains Samba does not provide a replication service (this >is done at lower layers, like OpenLDAP), but changing machine account >passwords can allow the attacker limited rights, similar to any other >member server or trusted domain. This includes disclosure of session >keys and inter-domain trust passwords (only), as well as general >denial of service to the domain member selected. > >Therefore while still real, the risk is lower in these domains than >for the AD DC. > >File servers and domain members >=============================== > >File servers and domain members do not run the NETLOGON service in >supported Samba versions and only need to ensure that they have not >set 'client schannel = no' for continued operation against secured DCs >such as Samba 4.8 and later and Windows DCs in 2021. Users running >Samba as a file server should still patch to ensure the server-side >mitigations (banning certain un-random values) do not very rarely >impact service. > >Allowlisted exceptions >====================== > >Some domains employ third-party software that will not work with a >'server schannel = yes'. For these cases patches are available that >allow specific machines to use insecure netlogon. For example, the >following smb.conf: > > server schannel = yes > server require schannel:triceratops$ = no > server require schannel:greywacke$ = no > >will allow only "triceratops$" and "greywacke$" to avoid schannel. > >Exploitability of Samba despite 'server schannel = yes' >======================================================= > >The published proof of concept exploit for this issue only attempts to >authenticate to the NetLogon service but does not attempt a takeover of >the domain. > >On domains with 'server schannel = yes', these tests claim to show a >vulnerability against Samba despite being unable to access any >privileged functionality. > >This Samba release adds additional server checks for the protocol >attack in the client-specified challenge that provides some protection >when 'server schannel = no/auto' and avoids this false-positive >result. > >These server checks are identical to the server logic added by >Microsoft for their patch for the Windows server code for >CVE-2020-1472. The Samba Team would like to thank Microsoft for their >disclosure of the method used to prevent the proof of concept exploit >code from working against such a hardened server. > > >================== >Patch Availability >================== > >Patches addressing this defect are available at: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as >security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon as >possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8) > >========== >Workaround >========== > >Users of versions of Samba before 4.8 should set > > server schannel = yes > >in their smb.conf and restart Samba > >Users of versions 4.8 and above should ensure their smb.conf either >a) has the "server schannel = yes" line, or >b) has no "server schannel" line. > >If in doubt, add "server schannel = yes" to your smb.conf. > >======= >Credits >======= > >This problem was originally discovered by Tom Tervoort of Secura, >though it was not successfully reported to the Samba team before its >public disclosure. > >Stefan Metzmacher made the changes to Samba 4.8 that preemptively >dodge this bug in default installs. > >Andrew Bartlett, Gary Lockyer, Günther Deschner, Jeremy Allison, and >Stefan Metzmacher have triaged the bug and written patches and tests. > >This advisory written by Andrew Bartlett and Douglas Bagnall. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16243">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
gary
:
review+
abartlet
:
review+
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
|
16232
|
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269