The following applies to Samba used as domain controller only. (Both as classic/NT4-style and active direcory DC.) Samba users have reported that the exploit for "ZeroLogin" passes against Samba. Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'. Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design. Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of: - server schannel = no - server schannel = auto are NOT secure and we expect can result in full domain compromise, particularly for AD domains. Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the ServerPasswordSet2 call required to exploit the domain also operates. We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail. We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years. Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable. There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs: - https://bugzilla.samba.org/show_bug.cgi?id=11892 - https://bugzilla.samba.org/show_bug.cgi?id=13464 - https://bugzilla.samba.org/show_bug.cgi?id=13949 We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts. Our progress can be monitored via this bug: - https://bugzilla.samba.org/show_bug.cgi?id=14497 -- Karolin Seeger https://samba.org/~kseeger/ Release Manager Samba Team https://samba.org Team Lead Samba SerNet https://sernet.de
Mandi! Karolin Seeger via samba In chel di` si favelave...> (Both as classic/NT4-style and active direcory DC.)I've searched some info on impact of this bug on NT domains, finding nothing on the net. OK, NT domain are dead, i know, but... i seek some feedback. Thanks. -- dott. Marco Gaiarin GNUPG Key ID: 240A3D66 Associazione ``La Nostra Famiglia'' http://www.lanostrafamiglia.it/ Polo FVG - Via della Bont?, 7 - 33078 - San Vito al Tagliamento (PN) marco.gaiarin(at)lanostrafamiglia.it t +39-0434-842711 f +39-0434-842797 Dona il 5 PER MILLE a LA NOSTRA FAMIGLIA! http://www.lanostrafamiglia.it/index.php/it/sostienici/5x1000 (cf 00307430132, categoria ONLUS oppure RICERCA SANITARIA)
On Fri, 2020-09-18 at 15:39 +0200, Marco Gaiarin via samba wrote:> Mandi! Karolin Seeger via samba > In chel di` si favelave... > > > (Both as classic/NT4-style and active direcory DC.) > > I've searched some info on impact of this bug on NT domains, finding > nothing on the net. > > OK, NT domain are dead, i know, but... i seek some feedback. >On real NT4 domains? The particular crypto here was a Windows 2000 thing. NT4 used 2DES and RC4, which was actually secure for the purpose it was used for. On Samba NT4-like domains, see the advisory and read source3/rpc_server/netlogon/srv_netlogon_nt.c for context. If you don't have any trusted domains then the big thing is an attacker being able to remove a member server from the domain, or get session keys (assisting a takeover 'MITM attack' of an existing session). Just set 'server schannel = yes' and you will be fine, but better to already be running a supported version where this is already the default. Andrew Bartlett -- Andrew Bartlett https://samba.org/~abartlet/ Authentication Developer, Samba Team https://samba.org Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba