Karolin Seeger
2020-Sep-18 12:40 UTC
[Announce] Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases Available
Release Announcements
---------------------
These are security releases in order to address the following defect:
o CVE-2020-1472: Unauthenticated domain takeover via netlogon
("ZeroLogon").
The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).
Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).
The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.
However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.
Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel =
auto'.
Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.
Note each domain controller needs the correct settings in its smb.conf.
Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.
The 'server schannel = yes' smb.conf line is equivalent to
Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.
Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:
server schannel = yes
server require schannel:triceratops$ = no
server require schannel:greywacke$ = no
will allow only "triceratops$" and "greywacke$" to avoid
schannel.
More details can be found here:
https://www.samba.org/samba/security/CVE-2020-1472.html
Changes:
--------
o Jeremy Allison <jra at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
netr_ServerPasswordSet2 against unencrypted passwords.
o G?nther Deschner <gd at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
"server require schannel:WORKSTATION$ = no" about unsecure
configurations.
o Gary Lockyer <gary at catalyst.net.nz>
* BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
client challenge.
o Stefan Metzmacher <metze at samba.org>
* BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
challenges in netlogon_creds_server_init()
"server require schannel:WORKSTATION$ = no".
#######################################
Reporting bugs & Development Discussion
#######################################
Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.
If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored. All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).
======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================
===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded
from:
https://download.samba.org/pub/samba/stable/
The release notes are available online at:
https://www.samba.org/samba/history/samba-4.12.7.html
https://www.samba.org/samba/history/samba-4.11.13.html
https://www.samba.org/samba/history/samba-4.10.18.html
Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)
--Enjoy
The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL:
<http://lists.samba.org/pipermail/samba-announce/attachments/20200918/63ded941/signature.sig>
vincent at cojot.name
2020-Sep-18 17:38 UTC
[Samba] Samba 4.12.7, 4.11.13 and 4.10.18 rpms for RHEL7.
Hi everyone, I've posted RHEL7 RPMS/SRPMS here: https://nova.polymtl.ca/~coyote/dist/samba/samba-4.10.18/ https://nova.polymtl.ca/~coyote/dist/samba/samba-4.11.13/ https://nova.polymtl.ca/~coyote/dist/samba/samba-4.12.7/ It's still uploading at the moment so it might be a couple hours before these show up in full. Regards, Vincent S. Cojot On Fri, 18 Sep 2020, Karolin Seeger via samba wrote:> Release Announcements > --------------------- > > These are security releases in order to address the following defect: > > o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon"). > > The following applies to Samba used as domain controller only (most > seriously the Active Directory DC, but also the classic/NT4-style DC). > > Installations running Samba as a file server only are not directly > affected by this flaw, though they may need configuration changes to > continue to talk to domain controllers (see "file servers and domain > members" below). > > The netlogon protocol contains a flaw that allows an authentication > bypass. This was reported and patched by Microsoft as CVE-2020-1472. > Since the bug is a protocol level flaw, and Samba implements the > protocol, Samba is also vulnerable. > > However, since version 4.8 (released in March 2018), the default > behaviour of Samba has been to insist on a secure netlogon channel, > which is a sufficient fix against the known exploits. This default is > equivalent to having 'server schannel = yes' in the smb.conf. > > Therefore versions 4.8 and above are not vulnerable unless they have > the smb.conf lines 'server schannel = no' or 'server schannel = auto'. > > Samba versions 4.7 and below are vulnerable unless they have 'server > schannel = yes' in the smb.conf. > > Note each domain controller needs the correct settings in its smb.conf. > > Vendors supporting Samba 4.7 and below are advised to patch their > installations and packages to add this line to the [global] section if > their smb.conf file. > > The 'server schannel = yes' smb.conf line is equivalent to Microsoft's > 'FullSecureChannelProtection=1' registry key, the introduction of > which we understand forms the core of Microsoft's fix. > > Some domains employ third-party software that will not work with a > 'server schannel = yes'. For these cases patches are available that > allow specific machines to use insecure netlogon. For example, the > following smb.conf: > > server schannel = yes > server require schannel:triceratops$ = no > server require schannel:greywacke$ = no > > will allow only "triceratops$" and "greywacke$" to avoid schannel. > > More details can be found here: > https://www.samba.org/samba/security/CVE-2020-1472.html > > > Changes: > -------- > > o Jeremy Allison <jra at samba.org> > * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect > netr_ServerPasswordSet2 against unencrypted passwords. > > o G?nther Deschner <gd at samba.org> > * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support > "server require schannel:WORKSTATION$ = no" about unsecure configurations. > > o Gary Lockyer <gary at catalyst.net.nz> > * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in > client challenge. > > o Stefan Metzmacher <metze at samba.org> > * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client > challenges in netlogon_creds_server_init() > "server require schannel:WORKSTATION$ = no". > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical IRC channel on irc.freenode.net. > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track down > the problem then you will probably be ignored. All bug reports should > be filed under the Samba 4.1 and newer product in the project's Bugzilla > database (https://bugzilla.samba.org/). > > > =====================================================================> == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > =====================================================================> > > > ===============> Download Details > ===============> > The uncompressed tarballs and patch files have been signed > using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded > from: > > https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > https://www.samba.org/samba/history/samba-4.12.7.html > https://www.samba.org/samba/history/samba-4.11.13.html > https://www.samba.org/samba/history/samba-4.10.18.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > --Enjoy > The Samba Team >
Possibly Parallel Threads
- [Announce] Samba 4.12.7, 4.11.13 and 4.10.18 Security Releases Available
- [Announce] Samba 4.13.0rc6 Available for Download
- [Announce] Samba 4.13.0rc6 Available for Download
- [Announce] Samba 4.13.0 Available for Download
- [Announce] Samba 4.13.0 Available for Download