Zerologon: Samba Netlogon Elevation of Privilege Vulnerability (CVE-2020-1472)

Updated -

Red Hat is responding to a vulnerability (CVE-2020-1472) in the Microsoft Netlogon service. Netlogon service is an authentication mechanism used in the Windows Client Authentication Architecture which verifies logon requests, and it registers, authenticates, and locates domain controllers. The netlogon service, as part of the domain controller functionality, implements Microsoft Netlogon Remote Protocol.

The implementation of netlogon protocol contains a flaw that allows an authentication bypass. This was reported and mitigated by Microsoft as CVE-2020-1472. Since the flaw is a protocol level flaw, and Samba implements the protocol, Samba is also vulnerable.

Background

The Microsoft Windows Netlogon Remote Protocol (MS-NRPC) reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and potentially obtain domain administrator privileges.

In Windows environments, only the domain controller runs the netlogon service accessible by clients. This applies to Samba when it is used as a domain controller. Samba Domain Controller role is implemented in both Active Directory mode and also the classic/NT4-style mode. The RHEL version of the Samba package only provides classic/NT4-style domain controllers.

An unauthenticated attacker with network access to a domain controller can impersonate any domain-joined computer, including a domain controller. The attack can result in a denial of service and potentially allow an attacker to gain domain administrator privileges.
To protect against the attack described in CVE-2020-1472, an authenticated connection to netlogon service must be used. Such a requirement is known as a secure channel establishment between domain members and domain controllers, commonly referred to as ‘schannel’. Schannel setup prevents unauthenticated access to netlogon service and thus mitigates any attack vector described in CVE-2020-1472.

Affected Versions

The Samba suite supports secure channel establishment between domain members and domain controllers. However, default behavior for server schannel prior to Samba 4.8 was to automatically negotiate secure channel only if a client supports it. Since version 4.8, the default behaviour of Samba has been to insist on a secure channel for all clients, which is a sufficient fix against the known exploits of CVE-2020-1472 attack. This default is equivalent to having 'server schannel = yes' in the smb.conf.

Requiring a secure channel might break some old applications which originate from pre-Active Directory time (NT4 domains). Due to this, Microsoft’s mitigation for CVE-2020-1472 does not immediately disable unauthenticated access to netlogon service. Red Hat is not aware of any specific applications that require use of an unauthenticated channel to netlogon service. All Samba components in all Red Hat Enterprise Linux (RHEL) versions do support operating with schannel established, and will continue to work when future updates from Microsoft will disable unauthenticated channel support altogether.

Red Hat Enterprise Linux 6

Default configurations of the samba and samba4 packages shipped with Red Hat Enterprise Linux 6 are vulnerable as they do not enforce secure channel establishment for all client connections to the netlogon service. The vulnerability can be mitigated by following the instructions mentioned in the “Mitigation” section.

Red Hat Enterprise Linux 7 and 8

Default configurations of the samba packages shipped with Red Hat Gluster Storage 3, and Red Hat Enterprise Linux 7 and 8 are not vulnerable by default. They enforce secure channel establishment for all client connections to the netlogon service. If Samba configuration, smb.conf, changed to explicitly state 'server schannel = no' or 'server schannel = auto', such a setup would be vulnerable.

File servers and domain members

File servers and domain members (using any supported version of samba shipped with Red Hat Enterprise Linux) do not run the netlogin service and only need to ensure that they have not set 'client schannel = no' for continued operation against secured DCs such as Samba 4.8 and later and Windows DCs in 2021.

Mitigation

Users of Samba shipped with Red Hat Enterprise Linux 6, if being used as a samba domain controller server or a standalone server, should set

server schannel = yes

in the [global] section of their smb.conf and restart Samba on all domain controllers.

For users of samba shipped with Red Hat Enterprise Linux 7 and 8, and Gluster Storage 3, no mitigation is required, but they should ensure that [global] section of their smb.conf either:

  • has the "server schannel = yes" line, or
  • has no "server schannel" line.

In order to verify that Samba configuration is running in domain controller or standalone mode and what “server schannel” setting is used, a “testparm” utility should be used.

“Testparm” utility parses the Samba configuration, regardless of a method to store it, and provides a combined view of the configuration with default values applied:

# testparm -v -s|grep schannel
Load smb config files from /etc/samba/smb.conf
Loaded services file OK.
Server role: ROLE_DOMAIN_PDC

    client schannel = Yes
    server schannel = Yes

If the server role is either ROLE_DOMAIN_PDC or ROLE_DOMAIN_BDC, ensure the “server schannel” parameter is set to “yes” to ensure that the secure channel is always established.

Resolution

The hardening changes done in upstream Samba for 4.13/4.12/4.11 releases only close the false positive cases with some of the tools that attempt to exploit the issue while 'server schannel = yes' is defined.

Therefore the only resolution for this flaw is to apply the mitigation described in the mitigation section above. No hardening fixes discussed above will be backported to the currently supported RHEL releases, future releases which are based on rebases from upstream may have them.

References