The Samba team has released patches for a critical-severity elevation of privilege vulnerability impacting the Microsoft Windows Netlogon Remote Protocol (MS-NRPC).
Also referred to as Zerologon and tracked as CVE-2020-1472, the security issue was addressed on August 2020 Patch Tuesday and can be triggered when an adversary connects to a domain controller using a vulnerable Netlogon secure channel connection.
An attacker can leverage a specially crafted application on a device connected to the network to exploit the vulnerability and gain domain administrator access.
On Friday, the DHS issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an “unacceptable risk to the Federal Civilian Executive Branch.”
As it turns out, Windows Server wasn’t the only product impacted by the vulnerability. Samba, which allows users to easily share files between Linux and Windows systems, is impacted as well, as it relies on Netlogon.
With Zerologon being a protocol-level vulnerability and Samba implementing the Netlogon protocol, Samba is also vulnerable to the bug, when used as domain controller only. Active Directory DC installations are affected the most, with the flaw having low impact on the classic/NT4-style DC.
“Since version 4.8 (released in March 2018), the default behaviour of Samba has been to insist on a secure netlogon channel, which is a sufficient fix against the known exploits. This default is equivalent to having ‘server schannel = yes’ in the smb.conf. Therefore versions 4.8 and above are not vulnerable unless they have the smb.conf lines ‘server schannel = no’ or ‘server schannel = auto’,” the Samba team explains.
The vulnerability doesn’t directly impact installations where Samba runs as a file server only, as they do not run the Netlogon service. However, configuration changes are likely required to ensure they can continue to communicate with domain controllers, the team notes.
“Samba versions 4.7 and below are vulnerable unless they have ‘server schannel = yes’ in the smb.conf. […]The ‘server schannel = yes’ smb.conf line is equivalent to Microsoft’s ‘FullSecureChannelProtection=1’ registry key, the introduction of which we understand forms the core of Microsoft’s fix,” Samba says.
Exploitation of the vulnerability could result in complete domain takeover (on Active Directory DC domains), or disclosure of session keys or denial of service (on NT4-like domains), Samba explains, urging vendors to install the available patches as soon as possible.