me at tdiehl.org
2020-Sep-15 23:33 UTC
[Samba] Does CVE-2020-1472 impact samba AD domains?
Hi, I saw https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/ and https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 today and I am wondering what impact if any this has on samba AD domains in particular and samba in general? Is samba using the "vulnerable Netlogon secure channel connection"? Will samba continue to work in mixed windows AD DCs and samba AD DCs after the second release that is planned for Q1 2021 by MS? Regards, -- Tom me at tdiehl.org
Yes $ ./zerologon_tester.py ap42 192.168.1.2 Performing authentication attempts... =======================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================================Success! DC can be fully compromised by a Zerologon attack. $ dpkg -l samba\*|grep ^i ii samba 2:4.11.12+dfsg-0.1bionic1 amd64 SMB/CIFS file, print, and login server for Unix ii samba-common 2:4.11.12+dfsg-0.1bionic1 all common files used by both the Samba server and client ii samba-common-bin 2:4.11.12+dfsg-0.1bionic1 amd64 Samba common files used by both the server and the client ii samba-dsdb-modules:amd64 2:4.11.12+dfsg-0.1bionic1 amd64 Samba Directory Services Database ii samba-libs:amd64 2:4.11.12+dfsg-0.1bionic1 amd64 Samba core libraries ii samba-vfs-modules:amd64 2:4.11.12+dfsg-0.1bionic1 amd64 Samba Virtual FileSystem plugins Il giorno mer 16 set 2020 alle ore 01:33 Tom Diehl via samba < samba at lists.samba.org> ha scritto:> Hi, > > I saw > https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/ > and > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 > today and I am wondering what impact if any this has on samba AD domains in > particular and samba in general? > > Is samba using the "vulnerable Netlogon secure channel connection"? Will > samba > continue to work in mixed windows AD DCs and samba AD DCs after the second > release that > is planned for Q1 2021 by MS? > > Regards, > > -- > Tom me at tdiehl.org > > -- > To unsubscribe from this list go to the following URL and read the > instructions: https://lists.samba.org/mailman/options/samba >
Do note that to exploit this per the public description of the issue you must be able to access ServerPasswordSet2, which is restricted to sessions encrypted and SIGNED (this matters, the crypto is the problem). This is enforced by the default of 'require schannel = yes' since Samba 4.8. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design. Andrew Bartlett On Wed, 2020-09-16 at 06:13 +0200, banda bassotti via samba wrote:> Yes > > $ ./zerologon_tester.py ap42 192.168.1.2 > Performing authentication attempts... > ====================================================================> ====================================================================> ====================================================================> ====================================================================> ====================================================================> ====================================================================> ====================================================================> ====================================================================> ===============================================================> Success! DC can be fully compromised by a Zerologon attack. > > $ dpkg -l samba\*|grep ^i > ii samba 2:4.11.12+dfsg-0.1bionic1 amd64 > SMB/CIFS file, print, and login server for Unix > ii samba-common 2:4.11.12+dfsg-0.1bionic1 > all common > files used by both the Samba server and client > ii samba-common-bin 2:4.11.12+dfsg-0.1bionic1 > amd64 Samba > common files used by both the server and the client > ii samba-dsdb-modules:amd64 2:4.11.12+dfsg-0.1bionic1 > amd64 Samba > Directory Services Database > ii samba-libs:amd64 2:4.11.12+dfsg-0.1bionic1 > amd64 Samba > core libraries > ii samba-vfs-modules:amd64 2:4.11.12+dfsg-0.1bionic1 > amd64 Samba > Virtual FileSystem plugins > > Il giorno mer 16 set 2020 alle ore 01:33 Tom Diehl via samba < > samba at lists.samba.org> ha scritto: > > > Hi, > > > > I saw > > https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/ > > and > > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 > > today and I am wondering what impact if any this has on samba AD > > domains in > > particular and samba in general? > > > > Is samba using the "vulnerable Netlogon secure channel connection"? > > Will > > samba > > continue to work in mixed windows AD DCs and samba AD DCs after the > > second > > release that > > is planned for Q1 2021 by MS? > > > > Regards, > > > > -- > > Tom me at tdiehl.org > > > > -- > > To unsubscribe from this list go to the following URL and read the > > instructions: https://lists.samba.org/mailman/options/samba > >-- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Development and Support, Catalyst IT - Expert Open Source Solutions https://catalyst.net.nz/services/samba
On Tue, 2020-09-15 at 19:33 -0400, Tom Diehl via samba wrote:> Hi, > > I saw > https://blog.rapid7.com/2020/09/14/cve-2020-1472-zerologon-critical-privilege-escalation/ > and > https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472 > today and I am wondering what impact if any this has on samba AD > domains in > particular and samba in general?We expect it would be catastrophic for domains, such as those running Samba 4.7 and earlier, that have 'server schannel = auto'. I've not run a full exploit against Samba, but spent this afternoon in the code and can't find any mitigating factors so far. :-(> Is samba using the "vulnerable Netlogon secure channel connection"? > Will samba > continue to work in mixed windows AD DCs and samba AD DCs after the > second release that > is planned for Q1 2021 by MS?Samba has used, and since Samba 4.8 enforced by default RPC level protection for the "Netlogon secure channel". We call this schannel and the default is 'server schannel = yes'. We didn't have any particular insight but after the big push around 'badlock' we required session-level integrity on all our connections by default, which has saved some drama here. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba
Hi, On 9/16/20 10:13 AM, Andrew Bartlett via samba wrote:> We expect it would be catastrophic for domains, such as those running > Samba 4.7 and earlier, that have 'server schannel = auto'. > > I've not run a full exploit against Samba, but spent this afternoon in > the code and can't find any mitigating factors so far.:-(So, we confirmed to be running > schannel = Yes everywhere. Is there anything else we can do..? Is there an equivalent for samba, for EventID 5829 on windows DCs? MJ