The Samba-Bugzilla – Attachment 17652 Details for
Bug 15240
CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Initial advisory without versions or CVE number
CVE-2022-XXXX-RejectMd5Clients-v01.txt (text/plain), 2.84 KB, created by
Andrew Bartlett
on 2022-11-14 20:19:57 UTC
(
hide
)
Description:
Initial advisory without versions or CVE number
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2022-11-14 20:19:57 UTC
Size:
2.84 KB
patch
obsolete
>=========================================================== >== Subject: RC4 NetLogon Secure Channel is weak and must be avoided >== >== CVE ID#: (MS CVE-2022-38023) >== >== Versions: All versions of Samba >== >== Summary: RC4 protection of the NetLogon Secure channel uses the >== same algorithms as rc4-md5 cryptography in Kerberos, >== and so must also be assumed to be weak. >=========================================================== > >=========== >Description >=========== > >This is Samba's response to Microsoft's CVE-2022-38023. > >If, per RFC8429 and as we are assuming for CVE-2022-3938, rc4-md5 >cryptography in Kerberos is weak, then it follows that the RC4 mode in >the NETLOGON Secure Channel (DCE/RPC bulk encryption) is also weak, as >they are the same cipher (essentially). > >Therefore we must disable this cipher. Thankfully this cipher is >unused by modern member servers (Windows 8 / Windows 2008R2 and later). > >In this patch we achive this by setting 'reject md5 clients = yes' and >'reject md5 servers = yes' by default. > >Additionally we extend the meaning of 'server require schannel' to mean >that a full encrypted NETLOGON secure channel must have been >negotiated. While no specific vulnerability has been disclosed to >Samba, we do this to match the new Microsoft Windows behaviour. > >Clients that do not support NETLOGON Secure Channel encryption can be >exempted in the same way as for CVE-2020-1472(ZeroLogon) > >The following smb.conf: > > server schannel = yes > server require schannel:triceratops$ = no > server require schannel:greywacke$ = no > >will allow only "triceratops$" and "greywacke$" to avoid schannel, or >operate with signing-only schannel. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:v3.1:AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1) > >========== >Workaround >========== > >Setting 'reject md5 clients' (on DCs) and 'reject md5 servers' (on >member servers) will avoid this vulnerable protocol. It is unknown >what made Microsoft decide that signing-only schannel is vulnerable, >but Samba addressed NTLM session key disclosure issue in CVE-2016-2111. > >======= >Credits >======= > >Microsoft reported this issue at >https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-38023 > >Patches provided by $DEVELOPER of the Samba team. > >Advisory written by Andrew Bartlett of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15240
:
17652
|
17671
|
17684
|
17692
|
17693
|
17694
|
17698
|
17705
|
17726
|
17727
|
17728
|
17736