Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Samba Issues Patches for Zerologon Vulnerability

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.

An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.

On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”

As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.

With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.

“Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.

The vulnerability doesn’t directly impact installations where Samba runs as a file server only, as they do not run the Netlogon service. However, configuration changes are likely required to ensure they can continue to communicate with domain controllers, the team notes.

Advertisement. Scroll to continue reading.

“Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’ in the smb.conf. […]The ‘server schannel = yes’ smb.conf line is equivalent to Microsoft’s ‘FullSecureChannelProtection=1’ registry key, the introduction of which we understand forms the core of Microsoft’s fix,” Samba says.

Exploitation of the vulnerability could result in complete domain takeover (on Active Directory DC domains), or disclosure of session keys or denial of service (on NT4-like domains), Samba explains, urging vendors to install the available patches as soon as possible.

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

Related: ‘SMBleed’ Vulnerability Impacts Windows SMB Protocol

Related: Microsoft Patches 129 Vulnerabilities With September 2020 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

DARPA veteran Dan Kaufman has joined Badge as SVP, AI and Cybersecurity.

Kelly Shortridge has been promoted to VP of Security Products at Fastly.

After the passing of Amit Yoran, Tenable has appointed Steve Vintz and Mark Thurmond as co-CEOs.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.