A Netlog ZeroLogin vulnerability in Windows also affects Samba

The developers of the Samba project unveiled recently through an announcement to users about the discovery of a «ZeroLogin» vulnerability in Windows (CVE-2020-1472) and that also se manifested in the implementation from a domain controller based on Samba.

Vulnerability is caused by glitches in the MS-NRPC protocol and the AES-CFB8 crypto algorithm, and if exploited successfully, allows an attacker to gain administrator rights on a domain controller.

The essence of vulnerability is that MS-NRPC (Netlogon Remote Protocol) allows authentication data exchange resort to using an RPC connection no encryption.

An attacker can then exploit a flaw in the AES-CFB8 algorithm to spoof (spoof) a successful login. Approximately 256 spoofing attempts are required to log in with administrator rights on average.

The attack does not require a working account on the domain controller; Impersonation attempts can be made with an incorrect password.

The NTLM authentication request will be redirected to the domain controller, which will return access denied, but the attacker can spoof this response and the attacked system will consider the login successful.

An elevation of privilege vulnerability exists when an attacker establishes a vulnerable Netlogon secure channel connection to a domain controller, using the Netlogon Remote Protocol (MS-NRPC). An attacker who successfully exploited the vulnerability could run a specially crafted application on a network device.

To exploit the vulnerability, an unauthenticated attacker would be required to use MS-NRPC to connect to a domain controller to gain domain administrator access.

In Samba, vulnerability appears only on systems that do not use the "server schannel = yes" setting, which is the default since Samba 4.8.

En particular, systems with "server schannel = no" and "server schannel = auto" settings can be compromised, which allows Samba to use the same flaws in the AES-CFB8 algorithm as in Windows.

When using the Windows-ready exploit reference prototype, only the ServerAuthenticate3 call fires in Samba and the ServerPasswordSet2 operation fails (the exploit requires adaptation for Samba).

That is why the Samba developers invite users who have made the change to server schannel = yes  to "no" or "auto", return to the default setting "yes" and thereby avoid the vulnerability problem.

Nothing was reported on the performance of alternative exploits, although attempts to attack systems can be tracked by analyzing the presence of entries with the mention of ServerAuthenticate3 and ServerPasswordSet in the Samba audit logs.

Microsoft is addressing the vulnerability in a two-phase deployment. These updates address the vulnerability by modifying the way Netlogon handles the use of Netlogon secure channels.

When the second phase of Windows updates is available in Q2021 XNUMX, customers will be notified through a patch for this security vulnerability. 

Finally, for those who are users of previous samba versions, carry out the pertinent update to the latest stable version of samba or choose to apply the corresponding patches to solve this vulnerability.

Samba has some protection for this problem because since Samba 4.8 we have a default value of 'server schannel = yes'.

Users who have changed this default are advised that Samba implements the netlogon AES protocol faithfully and thus falls to the same cryptosystem design flaw.

Providers that support Samba 4.7 and earlier versions must patch their installations and packages to change this default.

They are NOT secure and we hope they can result in full domain compromise, particularly for AD domains.

Finally, if you are interested in knowing more about it about this vulnerability you can check the announcements made by the samba team (in this link) or also by Microsoft (this link).


Be the first to comment

Leave a Comment

Your email address will not be published. Required fields are marked with *

*

*

  1. Responsible for the data: Miguel Ángel Gatón
  2. Purpose of the data: Control SPAM, comment management.
  3. Legitimation: Your consent
  4. Communication of the data: The data will not be communicated to third parties except by legal obligation.
  5. Data storage: Database hosted by Occentus Networks (EU)
  6. Rights: At any time you can limit, recover and delete your information.