[UNVERIFIED POSSIBLE FIX] Linux CIFS/Samba and Microsoft CVE-2020-1472 response to insecure NETLOGON
UPDATED 9/17/2020
Excerpt from https://access.redhat.com/security/cve/CVE-2020-1472
Description
A flaw was found in the Microsoft Windows Netlogon Remote Protocol (MS-NRPC), where it reuses a known, static, zero-value initialization vector (IV) in AES-CFB8 mode. This flaw allows an unauthenticated attacker to impersonate a domain-joined computer, including a domain controller, and possibly obtain domain administrator privileges. The highest threat from this vulnerability is to confidentiality, integrity, as well as system availability.
Statement
As per upstream samba domain controllers (AD and NT4-like) can be impacted by the ZeroLogon CVE-2020-1472. Samba packages shipped with Red Hat Gluster Storage 3, Red Hat Enterprise Linux 7 and 8 are not vulnerable by default, since they have "server schannel" enabled by default in its configuration file.
Mitigation
This flaw can be mitigated by using "server schannel = yes" in the smb.conf configuration file
End Excerpt from https://access.redhat.com/security/cve/CVE-2020-1472
Original post follows:
Yes, this affects CIFS aka Samba for Linux, even though this is actually a Windows vulnerability. Microsoft link here. Namely it applies to Linux when the proposed patch(s) below are installed on a domain controller and you want your CIFS/Samba to work. The key is to make CIFS/Samba communicate securely using NETLOGON when the patch is issued/installed in February 2021
There's a pretty bad privilege vulnerability for Windows for NETLOGON that Microsoft is dealing with.
First of all, this will affect Linux CIFS aka Samba, even though this is a Microsoft vulnerability.
- Those who would be most affected are those who serve Linux/UNIX CIFS/Samba to windows clients through a Windows domain.
See https://dirteam.com/sander/2020/08/11/knowledgebase-you-experience-warnings-with-eventid-5829-on-domain-controllers/
While this is a Microsoft vulnerability, this affects Samba/CIFS clients namely when Microsoft issues a patch in February 2021
EventID 5829 triggers whenever a vulnerable Netlogon secure channel connection is allowed in the timeframe between applying the August 11th, 2020 cumulative update and applying the February 9th, 2021 cumulative update.
Microsoft is addressing the vulnerability in a phased two-part rollout. The August 11th, 2020 update and the February 9th, 2021 update address the CVE-2020-1472 vulnerability by modifying how Netlogon handles the usage of Netlogon secure channels.
Additional References:
More info on the CVE
- Microsoft CVE-2020-1472
- Microsoft Enforcement Phase, Feb 2021 Logging of Event ID 5829 will be removed. Since all vulnerable connections are denied, you will now only see event IDs 5827 and 5828 in the System event log.
- https://www.secura.com/blog/zero-logon
- Secura white-paper pdf with more detail than above link: https://www.secura.com/pathtoimg.php?id=2055
- Microsoft’s docs on netlogon (navigate from left window pane at that link):
I personally have no details at this time on a resolution for CIFS/Samba as it relates to the Microsoft mandatory push in February 2021, but am posting it here for the community. I'll post back if we have something relevant to share.
Regards,
RJ
