CVE-2020-1472 (ZeroLogon) and SMB authentication
I originally filed this against OmniOSCE but was advised it would be better posted here.
MSFT is pushing a new set of requirements for authenticating.
It looks like the native auth in OmniOS (based on illumos) runs afoul of this. We have auth configured via svc:/network/shares/group:smb (joined with "smbadm join") and we're seeing our primary OmniOS SMB/CIFS file server showing up in the DC's logs with:
"The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Warning: This connection will be denied once the enforcement phase is released. To better understand the enforcement phase, please visit https://go.microsoft.com/fwlink/?linkid=2133485."
(This is with the temporary "let them in anyway" configuration in place.)
Are there plans to update the service to be compliant with the tighter requirements?
Updated by Gordon Ross 7 months ago
- Status changed from New to In Progress
- Assignee set to Matt Barden
Note that while the native SMB service is not vulnerable to CVE-2020-1472, the new restrictions implemented by MS on their AD servers in response to that CVE will disable the particular variant of the NetLogon RPC service that the server currently uses.
We will need to implement integrity features in the NetLogon RPC client-side code in order to maintain compatibility with MS AD servers with the new restrictions. In the interim, customers should add their SMB servers to the list of servers exempt from the new restrictions. To do so, see this MS KB article:
https://go.microsoft.com/fwlink/?linkid=2133485 , particularly the group policy setting:
"Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.
Note that the native SMB server already has integrity features at the SMB level (which is the "transport" below RPC for NetLogon)
but that's not sufficient for MS AD servers with the new restrictions.
Updated by Matt Barden 3 months ago
Install, configure, and run the included libmlrpc-tests.
Connect to a domain-joined server, with both NTLM (ip-based) and Kerberos (FQDN-based) authentication, using a user who has both a few (e.g. 5) and many (e.g. 800) groups.
Run "smbutil view //'DOMAIN;user'@server", and verify the output, whether the server has a small or large (enough to cause the response to be fragmented) number of shares.
Updated by Electric Monk 3 months ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100
commit ce8560eeb961d528e27685fcdd2ffb03e9478dbf Author: Matt Barden <firstname.lastname@example.org> Date: 2021-01-30T19:02:54.000Z 13169 CVE-2020-1472 (ZeroLogon) and SMB authentication Reviewed by: Joyce McIntosh <email@example.com> Reviewed by: Evan Layton <firstname.lastname@example.org> Reviewed by: Gordon Ross <email@example.com> Reviewed by: Prashanth Badari <firstname.lastname@example.org> Reviewed by: Andy Fiddaman <email@example.com> Reviewed by: C Fraire <firstname.lastname@example.org> Approved by: Robert Mustacchi <email@example.com>