Bug #13169
closed
CVE-2020-1472 (ZeroLogon) and SMB authentication
100%
Description
I originally filed this against OmniOSCE but was advised it would be better posted here.
MSFT is pushing a new set of requirements for authenticating.
https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472
It looks like the native auth in OmniOS (based on illumos) runs afoul of this. We have auth configured via svc:/network/shares/group:smb (joined with "smbadm join") and we're seeing our primary OmniOS SMB/CIFS file server showing up in the DC's logs with:
"The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Warning: This connection will be denied once the enforcement phase is released. To better understand the enforcement phase, please visit https://go.microsoft.com/fwlink/?linkid=2133485."
(This is with the temporary "let them in anyway" configuration in place.)
Are there plans to update the service to be compliant with the tighter requirements?
thanks,
nomad
Ref.
https://kb.cert.org/vuls/id/490028
https://www.secura.com/pathtoimg.php?id=2055
Updated by Christophe ROCCHIETTA over 2 years ago
Is an SMB / CIFS client update already scheduled? If so, what date of availability is envisaged?
Updated by Gordon Ross over 2 years ago
- Status changed from New to In Progress
- Assignee set to Matt Barden
Note that while the native SMB service is not vulnerable to CVE-2020-1472, the new restrictions implemented by MS on their AD servers in response to that CVE will disable the particular variant of the NetLogon RPC service that the server currently uses.
We will need to implement integrity features in the NetLogon RPC client-side code in order to maintain compatibility with MS AD servers with the new restrictions. In the interim, customers should add their SMB servers to the list of servers exempt from the new restrictions. To do so, see this MS KB article:
https://go.microsoft.com/fwlink/?linkid=2133485 , particularly the group policy setting:
"Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Note that the native SMB server already has integrity features at the SMB level (which is the "transport" below RPC for NetLogon)
but that's not sufficient for MS AD servers with the new restrictions.
Updated by Gordon Ross over 2 years ago
- Subject changed from CVE-2020-1472 & SMB auth to CVE-2020-1472 (ZeroLogon) and SMB authentication
Updated by Christophe ROCCHIETTA over 2 years ago
Is a date scheduled for this compatibility with MS AD?
In my company, I don't manage domain controllers. My servers have been added to the list of exceptions, but this is only temporary. This list will be cleared by February 2021.
Updated by Matt Barden over 2 years ago
Testing Notes:
Install, configure, and run the included libmlrpc-tests.
Connect to a domain-joined server, with both NTLM (ip-based) and Kerberos (FQDN-based) authentication, using a user who has both a few (e.g. 5) and many (e.g. 800) groups.
Run "smbutil view //'DOMAIN;user'@server", and verify the output, whether the server has a small or large (enough to cause the response to be fragmented) number of shares.
Updated by Electric Monk over 2 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
git commit ce8560eeb961d528e27685fcdd2ffb03e9478dbf
commit ce8560eeb961d528e27685fcdd2ffb03e9478dbf
Author: Matt Barden <mbarden@tintri.com>
Date: 2021-01-30T19:02:54.000Z
13169 CVE-2020-1472 (ZeroLogon) and SMB authentication
Reviewed by: Joyce McIntosh <jmcintosh@tintri.com>
Reviewed by: Evan Layton <elayton@tintri.com>
Reviewed by: Gordon Ross <gordon.ross@tintri.com>
Reviewed by: Prashanth Badari <prbadari@tintri.com>
Reviewed by: Andy Fiddaman <andy@omnios.org>
Reviewed by: C Fraire <cfraire@me.com>
Approved by: Robert Mustacchi <rm@fingolfin.org>