Project

General

Profile

Tâche #30659

Scénario #30539: Traitement express MEN (36-39)

Samba impact of "ZeroLogin" CVE-2020-1472

Added by Gilles Grandgérard about 3 years ago. Updated about 3 years ago.

Status:
Fermé
Priority:
Normal
Assigned To:
-
Target version:
sprint 2020 36-39 Equipe MENSR
Start date:
09/17/2020
Due date:
% Done:

100%

Estimated time:
0.00 h
Remaining (hours):
0.0

Description

A vérifier sur EOLE < 2.7.2
Sur EOLE >= 2.7.2, nous n'utilisons pas "server schannel"

The following applies to Samba used as domain controller only. (Both as classic/NT4-style and active direcory DC.)

Samba users have reported that the exploit for "ZeroLogin" passes against Samba.

Samba has some protection for this issue because since Samba 4.8 we have set a default of 'server schannel = yes'.
Users who have changed this default are hereby warned that Samba implements the AES netlogon protocol faithfully and so falls to the same fault in the cryptosystem design.

Vendors supporting Samba 4.7 and below should patch their installations and packages to change this default, as values of:

 - server schannel = no
 - server schannel = auto

are NOT secure and we expect can result in full domain compromise, particularly for AD domains.

Some public exploit tests, such as https://github.com/SecuraBV/CVE-2020-1472/blob/master/zerologon_tester.py only confirm that a ServerAuthenticate3 call operates, but not that the serverPasswordSet2 call required to exploit the domain also operates.

We are well aware of administrator concern and are looking to provide patches that provide mitigation here, to make the ServerAuthenticate3 call also fail.

We, like Microsoft, suggest that 'server schannel = yes' must be set for secure operation. This is our equivalent to Microsoft's FullSecureChannelProtection=1 registry key, with the difference that it's already enabled by default in all Samba major versions released in the last three years.

Finally, we would note that Samba's audit logging will record ServerAuthenticate3 and ServerPasswordSet calls including the source IP, details will be provided later on the options to enable.
There seem to be some legacy software, which still requires "server schannel = auto". See the following bugs:

 - https://bugzilla.samba.org/show_bug.cgi?id=11892
 - https://bugzilla.samba.org/show_bug.cgi?id=13464
 - https://bugzilla.samba.org/show_bug.cgi?id=13949

We'll add additional hardening that will allow administrators to use "server schannel = yes" globally and define exceptions only for specified computer accounts.

Our progress can be monitored via this bug:

 - https://bugzilla.samba.org/show_bug.cgi?id=14497

-- 
Karolin Seeger            https://samba.org/~kseeger/
Release Manager Samba Team    https://samba.org
Team Lead Samba SerNet        https://sernet.de

smb.conf.patch View - Patch pour Scribe/Horus 2.5.2 (272 Bytes) Joël Cuissinat, 09/22/2020 12:20 PM

krb-smb.conf.patch View - Patch pour Amon 2.5.2 (251 Bytes) Joël Cuissinat, 09/22/2020 12:20 PM

Related issues

Related to Distribution EOLE - Tâche #30762: Pb maj ScribeAD 2.7 suite à CVE-1420 Ne sera pas résolu 09/28/2020

Associated revisions

Revision 6c153dd4 (diff)
Added by Daniel Dehennin about 3 years ago

Import patches from Ubuntu Bionic 2:4.7.6+dfsg~ubuntu-0ubuntu2.19

Ref: #30659

Revision c46815b3 (diff)
Added by Daniel Dehennin about 3 years ago

Update debian/changelog for EOLE 2.6

Ref: #30659

History

#1 Updated by Gilles Grandgérard about 3 years ago

  • Parent task set to #30539

#3 Updated by Gilles Grandgérard about 3 years ago

Module EOLE Version Samba Paquet Samba man smb.conf testparm -v CVE-2020-1472 Actions à réaliser
Scribe/Horus 2.5.2 4.3 2:4.3.11+dfsg-0ubuntu0.14.04.20 Default: server schannel = auto server schannel = Auto impacté Voir Note°2
Scribe/Horus 2.6.0 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Scribe/Horus 2.6.1 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Scribe/Horus 2.6.2 NT 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
ScribeAD/HorusAD 2.6.2 membre 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
ScribeAD/HorusAD 2.6.2 addc 4.7.12 2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1 Default: server schannel = yes server schannel = yes corrigé Voir Note°1
Scribe/Horus 2.7.1 membre 4.7 2:4.7.6+dfsg~ubuntu-0ubuntu2.19 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Scribe/Horus 2.7.1 addc 4.9 2:4.9.18~bpoeole270+1~0.5f8ef2f9eec Default: server schannel = yes server schannel = Yes non impacté Néant
Scribe/Horus 2.7.2 membre 4.7 2:4.7.6+dfsg~ubuntu-0ubuntu2.19 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Scribe/Horus 2.7.2 addc 4.11 2:4.11.6+dfsg-0ubuntu1.4~eole272.1 Default: server schannel = yes server schannel = Yes non impacté Néant
Seth 2.6.0 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Seth 2.6.1 4.7.12 2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1 Default: server schannel = yes server schannel = yes corrigé Néant (paquet EOLE)
Seth 2.6.2 4.7.12 2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1 Default: server schannel = yes server schannel = yes corrigé Néant (paquet EOLE)
Seth 2.7.0 4.9 2:4.9.18~bpoeole270+1~0.5f8ef2f9eec Default: server schannel = yes server schannel = Yes non impacté Néant
Seth 2.7.1 4.9 2:4.9.18~bpoeole270+1~0.5f8ef2f9eec Default: server schannel = yes server schannel = Yes non impacté Néant
Seth 2.7.2 4.11 2:4.11.6+dfsg-0ubuntu1.4~eole272.1 Default: server schannel = yes server schannel = Yes non impacté Néant
Amon 2.5.2 4.3 2:4.3.11+dfsg-0ubuntu0.14.04.20 Default: server schannel = auto server schannel = Auto impacté Voir Note°3
Amon 2.6.0 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Amon 2.6.1 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Amon 2.6.2 4.3 2:4.3.11+dfsg-0ubuntu0.16.04.30 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Amon 2.7.0 4.7 2:4.7.6+dfsg~ubuntu-0ubuntu2.19 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Amon 2.7.1 4.7 2:4.7.6+dfsg~ubuntu-0ubuntu2.19 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)
Amon 2.7.2 4.7 2:4.7.6+dfsg~ubuntu-0ubuntu2.19 Default: server schannel = yes server schannel = Yes non impacté Néant (paquet ubuntu)

Suivi Ubuntu du paquet correctif:
https://launchpad.net/ubuntu/+source/samba

xenial: https://launchpad.net/ubuntu/+source/samba/2:4.3.11+dfsg-0ubuntu0.16.04.30
bionic: https://launchpad.net/ubuntu/+source/samba/2:4.7.6+dfsg~ubuntu-0ubuntu2.19

Testparm:
testparm -vp | grep channel

Identification paquet:
dpkg -l | grep " samba "

Note 1 : Cas du Scribe AD 2.6.2

Dès qu'une mise à jour Ubuntu sera publiée, le conteneur ADDC sera actualisé.

En cas d'absence de mise à jour Ubuntu, vous pouvez forcer la mise à jour du conteneur en executant la commande suivante sur le module :

/usr/share/eole/majauto/eolead

Note 2 : Cas des modules Scribe et Horus 2.5.2

La version EOLE 2.5.2 n'est plus supportée. Nous ne faisons donc pas de paquet.

Le patch consiste à forcer la valeur "server schannel = yes" dans smb.conf

Vous devez :
  • Télécharger le patch
  • Exécuter reconfigure
cd /usr/share/eole/creole/patch
wget https://dev-eole.ac-dijon.fr/attachments/download/3105/smb.conf.patch
reconfigure

http://eole.ac-dijon.fr/documentations/2.6/completes/HTML/Eolebase/co/01b-patch.html

Note 3 : Cas du module Amon 2.5.2 utilisant l'authentification proxy "NTLM/KERBEROS" avec un serveur AD

La version EOLE 2.5.2 n'est plus supportée. Nous ne faisons donc pas de paquet.

Le patch consiste à forcer la valeur "server schannel = yes" dans smb.conf

Vous devez :
  • Télécharger le patch
  • Exécuter reconfigure
cd /usr/share/eole/creole/patch
wget https://dev-eole.ac-dijon.fr/attachments/download/3106/krb-smb.conf.patch
reconfigure

http://eole.ac-dijon.fr/documentations/2.6/completes/HTML/Eolebase/co/01b-patch.html

#4 Updated by Daniel Dehennin about 3 years ago

  • Private changed from No to Yes

#6 Updated by Gilles Grandgérard about 3 years ago

Exemple Seth 2.6.2 avant paquet correctif 2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1


root@dc1:~# dpkg -l | grep " samba " 
ii  samba                                  *2:4.7.12+dfsg-2-1ubuntu18.04.17~bpoeole262+3* amd64        SMB/CIFS file, print, and login server for Unix
root@dc1:~# testparm -vp | grep channel
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]" 
Processing section "[sysvol]" 
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

    client schannel = *Auto*
    server multi channel support = No
    server schannel = *Auto*
    print notify backchannel = No

Exemple Seth 2.6.2 après 2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1

root@dc1:~# dpkg -l | grep " samba " 
ii  samba                                  *2:4.7.12+dfsg-2-1ubuntu18.04.19~bpoeole262+1* amd64        SMB/CIFS file, print, and login server for Unix
root@dc1:~# testparm -vp | grep channel
Load smb config files from /etc/samba/smb.conf
rlimit_max: increasing rlimit_max (1024) to minimum Windows limit (16384)
Processing section "[netlogon]" 
Processing section "[sysvol]" 
Loaded services file OK.
Server role: ROLE_ACTIVE_DIRECTORY_DC

Press enter to see a dump of your service definitions

    client schannel = *Yes*
    server multi channel support = No
    server schannel = *Yes*
    print notify backchannel = No
root@dc1:~#

#7 Updated by Gilles Grandgérard about 3 years ago

  • Private changed from Yes to No

#8 Updated by Gilles Grandgérard about 3 years ago

  • Status changed from Nouveau to En cours

#9 Updated by Joël Cuissinat about 3 years ago

  • File schannel.patch added

#10 Updated by Joël Cuissinat about 3 years ago

  • File deleted (schannel.patch)

#12 Updated by Gilles Grandgérard about 3 years ago

  • Status changed from En cours to Fermé
  • Remaining (hours) set to 0.0

#13 Updated by Fabrice Barconnière about 3 years ago

  • synchro dépôt OK
  • Annonce
  • Journal 2.6.2
  • Mails
  • POUET
  • Tchap

#14 Updated by Fabrice Barconnière about 3 years ago

  • % Done changed from 0 to 100
  • Estimated time set to 0.00 h

#15 Updated by Joël Cuissinat almost 3 years ago

  • Related to Tâche #30762: Pb maj ScribeAD 2.7 suite à CVE-1420 added

Also available in: Atom PDF