Microsoft Windows “ZeroLogon” Vulnerability Impacts Samba
By Kashia Ingraham on October 15, 2020
Introduction
Earlier this month Microsoft announced a privilege-escalation vulnerability or “ZeroLogon” with a Common Vulnerability Scoring System (CVSS) score of 10.0 of 10.0 making it critically severe. It was said that on September 18, 2020 Department of Homeland Security (DHS) “issued an Emergency Directive requiring all federal agencies to address the flaw within three days, deeming it an unacceptable risk to the Federal Civilian Executive Branch” [1]. Within a couple weeks after the knowledge of the vulnerability was there a discovery that Windows Servers were not the only products being affected but also Samba in Versions 4.0 and later. Samba is a networking protocol that allows users to share files between Linux and Window systems. Samba uses the Netlogon protocol which is where this vulnerability lies [1].
Vulnerability
The privilege-escalation vulnerability or “ZeroLogon” exists in the usage of AES-CFB8 encryption for Netlogon sessions. The standard requires that each “byte” of plaintext have a randomized initialization vector (IV), to prevent the attackers from guessing passwords. However, Netlogon’s Compute Netlogon Credential function had the IV at a set fixed 16 bits not making the necessary randomized which give the attacker possible control of the deciphered text [2].
Impact
The vulnerability is at a protocol level and because Samba implements the Netlogon Protocol, makes Samba vulnerable [3]. Therefore, the same impact with Windows an attacker will have the ability to impersonate any computer, including the domain controller itself and gain access to domain admin credentials [4].
Mitigation
It is important to apply the Windows Server August 2020 security update to all domain controllers. There is a default secure Netlogon channel that is an adequate fix to the exploit.
The default is ‘server schannel = yes’ in the smb.conf.
Versions 4.8 and above are not vulnerable unless they have the smb.conf lines
‘server schannel = no’ or ‘server schannel = auto’.
Versions 4.7 and below are vulnerable unless they have
‘server schannel = yes’ in the smb.conf.
It is important to note that each domain controller needs the correct settings in its smb.conf [3].
Relevance
Windows Servers are commonly used as well as the Samba protocol; therefore, if there is a risk that an attacker is able to gain access to a domain admin credentials causes a big question of concern. However, it has been pointed out that though this flaw has been rated as critically severe the risk of exploitation is less likely to be executed.
References
[1] Security Week, “Samba Issues Patches for Zerologon Vulnerability”, September 23, 2020.
https://www.securityweek.com/samba-issues-patches-zerologon-vulnerability
[2] Talos Intelligence, “Microsoft Netlogon Exploitation Continues to Rise”, September 28, 2020.
https://blog.talosintelligence.com/2020/09/netlogon-rises.html
[3] Samba, “Unauthenticated domain takeover via netlogon (“ZeroLogon”)”, September 18, 2020.
https://www.samba.org/samba/security/CVE-2020-1472.html
[4] Security Week, “DHS Orders Federal Agencies to Immediately Patch “Zerologon” Vulnerability”, September 21, 2020.
https://www.securityweek.com/dhs-orders-federal-agencies-immediately-patch-zerologon-vulnerability