Project

General

Profile

Bug #13169

CVE-2020-1472 & SMB auth

Added by Lee Damon 7 days ago. Updated 4 days ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

I originally filed this against OmniOSCE but was advised it would be better posted here.

MSFT is pushing a new set of requirements for authenticating.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

It looks like the native auth in OmniOS (based on illumos) runs afoul of this. We have auth configured via svc:/network/shares/group:smb (joined with "smbadm join") and we're seeing our primary OmniOS SMB/CIFS file server showing up in the DC's logs with:

"The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Warning: This connection will be denied once the enforcement phase is released. To better understand the enforcement phase, please visit https://go.microsoft.com/fwlink/?linkid=2133485."

(This is with the temporary "let them in anyway" configuration in place.)

Are there plans to update the service to be compliant with the tighter requirements?

thanks,
nomad

Ref.
https://kb.cert.org/vuls/id/490028
https://www.secura.com/pathtoimg.php?id=2055

History

#1

Updated by Gordon Ross 4 days ago

  • Description updated (diff)

Also available in: Atom PDF