Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 743433 (CVE-2020-1472) - <net-fs/samba-4.11.13: Unauthenticated domain takeover via netlogon ("ZeroLogon") (CVE-2020-1472)
Summary: <net-fs/samba-4.11.13: Unauthenticated domain takeover via netlogon ("ZeroLog...
Status: RESOLVED FIXED
Alias: CVE-2020-1472
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: https://www.samba.org/samba/security/...
Whiteboard: C3 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-09-19 02:07 UTC by Sam James
Modified: 2020-12-24 14:20 UTC (History)
1 user (show)

See Also:
Package list:
net-fs/samba-4.11.13-r1
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester gentoo-dev Security 2020-09-19 02:07:17 UTC
From URL:
"The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).

Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).

The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.

However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.

Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.

Note each domain controller needs the correct settings in its smb.conf.

Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.

The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.

Consequences
============

[...]

The krbtgt password allows the attacker to issue a 'golden ticket' to
themselves and return to take over the domain at any point in the
future.

Other consequences includes disclosure of session keys, as well as
general denial of service to the trust account selected.

[...]

Exploitability of Samba despite 'server schannel = yes'
=======================================================

The published proof of concept exploit for this issue only attempts to
authenticate to the NetLogon service but does not attempt a takeover of
the domain.

On domains with 'server schannel = yes', these tests claim to show a
vulnerability against Samba despite being unable to access any
privileged functionality.

This Samba release adds additional server checks for the protocol
attack in the client-specified challenge that provides some protection
when 'server schannel = no/auto' and avoids this false-positive
result.

These server checks are identical to the server logic added by
Microsoft for their patch for the Windows server code for
CVE-2020-1472. The Samba Team would like to thank Microsoft for their
disclosure of the method used to prevent the proof of concept exploit
code from working against such a hardened server."

[Snippets taken].
Comment 1 Sam James archtester gentoo-dev Security 2020-09-19 02:10:18 UTC
Please bump to 4.10.18, 4.11.13, and 4.12.7. 4.13.0_rc6 is also out, but 4.13 does not yet have keywords in Gentoo.
Comment 2 Larry the Git Cow gentoo-dev 2020-09-23 08:01:47 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=308c7877323618ba61ca09ed8ea6683d66198ebd

commit 308c7877323618ba61ca09ed8ea6683d66198ebd
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-09-23 07:31:23 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-09-23 08:01:44 +0000

    net-fs/samba: Security bump to versions 4.11.13, 4.12.7 and 4.13.0
    
    Bug: https://bugs.gentoo.org/743433
    Package-Manager: Portage-3.0.8, Repoman-3.0.1
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-fs/samba/Manifest                              |   4 +-
 net-fs/samba/samba-4.11.13.ebuild                  | 321 +++++++++++++++++++++
 net-fs/samba/samba-4.12.7.ebuild                   | 319 ++++++++++++++++++++
 ...samba-4.13.0_rc5.ebuild => samba-4.13.0.ebuild} |   2 +-
 4 files changed, 644 insertions(+), 2 deletions(-)
Comment 3 Agostino Sarubbo gentoo-dev 2020-09-24 06:49:56 UTC
arm stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-09-24 06:52:13 UTC
ppc stable
Comment 5 Agostino Sarubbo gentoo-dev 2020-09-24 06:53:47 UTC
ppc64 stable
Comment 6 Agostino Sarubbo gentoo-dev 2020-09-24 06:55:30 UTC
sparc stable
Comment 7 Agostino Sarubbo gentoo-dev 2020-09-24 07:00:20 UTC
x86 stable
Comment 8 Sam James archtester gentoo-dev Security 2020-09-25 21:49:09 UTC
arm64 done
Comment 9 Agostino Sarubbo gentoo-dev 2020-10-09 08:31:11 UTC
amd64 stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 10 NATTkA bot gentoo-dev 2020-10-21 07:04:57 UTC
Unable to check for sanity:

> no match for package: net-fs/samba-4.11.13
Comment 11 Sam James archtester gentoo-dev Security 2020-10-21 17:06:30 UTC
Thanks.
Comment 12 Larry the Git Cow gentoo-dev 2020-10-23 12:08:41 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e976d174e083ec5b3d31b26c3df6aafb55a5beb6

commit e976d174e083ec5b3d31b26c3df6aafb55a5beb6
Author:     Lars Wendler <polynomial-c@gentoo.org>
AuthorDate: 2020-10-23 11:54:46 +0000
Commit:     Lars Wendler <polynomial-c@gentoo.org>
CommitDate: 2020-10-23 12:08:35 +0000

    net-fs/samba: Security cleanup
    
    Bug: https://bugs.gentoo.org/743433
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Lars Wendler <polynomial-c@gentoo.org>

 net-fs/samba/Manifest                |   1 -
 net-fs/samba/samba-4.11.11-r1.ebuild | 321 -----------------------------------
 net-fs/samba/samba-4.12.6-r1.ebuild  | 319 ----------------------------------
 3 files changed, 641 deletions(-)
Comment 13 Thomas Deutschmann gentoo-dev Security 2020-12-23 17:12:26 UTC
New GLSA request filed.
Comment 14 GLSAMaker/CVETool Bot gentoo-dev 2020-12-24 14:20:04 UTC
This issue was resolved and addressed in
 GLSA 202012-24 at https://security.gentoo.org/glsa/202012-24
by GLSA coordinator Thomas Deutschmann (whissi).