[UNVERIFIED POSSIBLE FIX] Linux CIFS/Samba and Microsoft CVE-2020-1472 response to insecure NETLOGON

Posted on

UPDATED 9/17/2020

Excerpt from https://access.redhat.com/security/cve/CVE-2020-1472


A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.


As per upstream samba domain controllers (AD and NT4-like) can be impacted by the ZeroLogon CVE-2020-1472. Samba packages shipped with Red Hat Gluster Storage 3, Red Hat Enterprise Linux 7 and 8 are not vulnerable by default, since they have "server schannel" enabled by default in its configuration file.


This flaw can be mitigated by using "server schannel = yes" in the smb.conf configuration file

End Excerpt from https://access.redhat.com/security/cve/CVE-2020-1472

Original post follows:

Yes, this affects CIFS aka Samba for Linux, even though this is actually a Windows vulnerability. Microsoft link here. Namely it applies to Linux when the proposed patch(s) below are installed on a domain controller and you want your CIFS/Samba to work. The key is to make CIFS/Samba communicate securely using NETLOGON when the patch is issued/installed in February 2021

There's a pretty bad privilege vulnerability for Windows for NETLOGON that Microsoft is dealing with.

First of all, this will affect Linux CIFS aka Samba, even though this is a Microsoft vulnerability.
- Those who would be most affected are those who serve Linux/UNIX CIFS/Samba to windows clients through a Windows domain.
See https://dirteam.com/sander/2020/08/11/knowledgebase-you-experience-warnings-with-eventid-5829-on-domain-controllers/

While this is a Microsoft vulnerability, this affects Samba/CIFS clients namely when Microsoft issues a patch in February 2021

EventID 5829 triggers whenever a vulnerable Netlogon secure channel connection is allowed in the timeframe between applying the August 11th, 2020 cumulative update and applying the February 9th, 2021 cumulative update.

Microsoft is addressing the vulnerability in a phased two-part rollout. The August 11th, 2020 update and the February 9th, 2021 update address the CVE-2020-1472 vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.

Additional References:

More info on the CVE

I personally have no details at this time on a resolution for CIFS/Samba as it relates to the Microsoft mandatory push in February 2021, but am posting it here for the community. I'll post back if we have something relevant to share.