Security Experts:

Connect with us

Hi, what are you looking for?



Samba Issues Patches for Zerologon Vulnerability

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).

Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.

An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.

On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”

As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.

With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.

“Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.

The vulnerability doesn’t directly impact installations where Samba runs as a file server only, as they do not run the Netlogon service. However, configuration changes are likely required to ensure they can continue to communicate with domain controllers, the team notes.

“Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’ in the smb.conf. […]The ‘server schannel = yes’ smb.conf line is equivalent to Microsoft’s ‘FullSecureChannelProtection=1’ registry key, the introduction of which we understand forms the core of Microsoft’s fix,” Samba says.

Exploitation of the vulnerability could result in complete domain takeover (on Active Directory DC domains), or disclosure of session keys or denial of service (on NT4-like domains), Samba explains, urging vendors to install the available patches as soon as possible.

Related: DHS Orders Federal Agencies to Immediately Patch ‘Zerologon’ Vulnerability

Related: ‘SMBleed’ Vulnerability Impacts Windows SMB Protocol

Related: Microsoft Patches 129 Vulnerabilities With September 2020 Security Updates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.