This article is more than 1 year old
As you're scrambling to patch the scary ZeroLogon hole in Windows Server, don't forget Samba – it's also affected
Domain controllers at risk of hijacking, depending on version and configuration
Administrators running Samba as their domain controllers should update their installations as the open-source software suffers from the same ZeroLogon hole as Microsoft's Windows Server.
An alert from the project has confirmed that its code, in certain configurations, is also vulnerable to the CVE-2020-1472 bug, which can be exploited to gain domain-level administrator access.
The vulnerability lies in the design of Microsoft's Netlogon Remote Protocol (MS-NRPC), which Samba inherited as it supports the technology.
According to the project's Andrew Bartlett and Douglas Bagnall, whether or not you're affected by the bug depends on your Samba version and settings. The default configuration in version 4.8 and higher protects against known exploits, we're told:
The netlogon protocol contains a flaw that allows an authentication bypass. This was reported and patched by Microsoft as CVE-2020-1472. Since the bug is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.
However, since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having 'server schannel = yes' in the smb.conf.
Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines 'server schannel = no' or 'server schannel = auto'. Samba versions 4.7 and below are vulnerable unless they have 'server schannel = yes' in the smb.conf.
Note each domain controller needs the correct settings in its smb.conf.
We're told Samba running as an Active Directory or classic NT4-style domain controller is at risk, and although file-server-only installations are not directly affected, "they may need configuration changes to continue to talk to domain controllers."
"File servers and domain members do not run the netlogon service in supported Samba versions and only need to ensure that they have not set 'client schannel = no' for continued operation against secured DCs such as Samba 4.8 and later and Windows DCs in 2021," Bartlett and Bagnall added.
"Users running Samba as a file server should still patch to ensure the server-side mitigations (banning certain un-random values) do not very rarely impact service."
The hole is addressed in Samba 4.10.18, 4.11.13, and 4.12.7. Setting
schannel = yes in the smb.conf file won't necessarily protect you entirely, though. We're told that, even in this case, there may still exist "a vulnerability against Samba despite being unable to access any privileged functionality." The safest option is to update and enable secure netlogon channels. If your applications won't work with
schannel, workarounds are offered.
The update comes amid growing calls for sysadmins to check and patch their systems against CVE-2020-1472 due to the public release of exploit code for the security hole, and growing likelihood of in-the-wild attacks. The bug was addressed in Windows Server as part of Microsoft's August Patch Tuesday bundle.
Last week, Uncle Sam's CISA took the rare step of issuing a hard deadline for federal organizations to patch their systems against the flaw, notifying IT bods they had until the end of September 21 to make sure their domain controllers were up-to-date.
“This attack has huge impact," the cyber-security agency warned. "It basically allows any attacker on the local network (such as a malicious insider or someone who simply plugged a device to an on-premise network port) to completely compromise the Windows domain.” ®