Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Samba Issues Patches for Zerologon Vulnerability

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.

An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.

On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”

As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.

With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.

“Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.

The vulnerability doesn’t directly impact installations where Samba runs as a file server only, as they do not run the Netlogon service. However, configuration changes are likely required to ensure they can continue to communicate with domain controllers, the team notes.

“Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’ in the smb.conf. […]The ‘server schannel = yes’ smb.conf line is equivalent to Microsoft’s ‘FullSecureChannelProtection=1’ registry key, the introduction of which we understand forms the core of Microsoft’s fix,” Samba says.

Exploitation of the vulnerability could result in complete domain takeover (on Active Directory DC domains), or disclosure of session keys or denial of service (on NT4-like domains), Samba explains, urging vendors to install the available patches as soon as possible.

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

Related: ‘SMBleed’ Vulnerability Impacts Windows SMB Protocol

Related: Microsoft Patches 129 Vulnerabilities With September 2020 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Vulnerabilities

A high-severity format string vulnerability in F5 BIG-IP can be exploited to cause a DoS condition and potentially execute arbitrary code.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.