Project

General

Profile

Actions

Bug #13169

closed

CVE-2020-1472 (ZeroLogon) and SMB authentication

Added by Lee Damon about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
-
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
Gerrit CR:

Description

I originally filed this against OmniOSCE but was advised it would be better posted here.

MSFT is pushing a new set of requirements for authenticating.

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-1472

It looks like the native auth in OmniOS (based on illumos) runs afoul of this. We have auth configured via svc:/network/shares/group:smb (joined with "smbadm join") and we're seeing our primary OmniOS SMB/CIFS file server showing up in the DC's logs with:

"The Netlogon service allowed a vulnerable Netlogon secure channel connection.
Warning: This connection will be denied once the enforcement phase is released. To better understand the enforcement phase, please visit https://go.microsoft.com/fwlink/?linkid=2133485."

(This is with the temporary "let them in anyway" configuration in place.)

Are there plans to update the service to be compliant with the tighter requirements?

thanks,
nomad

Ref.
https://kb.cert.org/vuls/id/490028
https://www.secura.com/pathtoimg.php?id=2055

Actions #1

Updated by Gordon Ross about 1 year ago

  • Description updated (diff)
Actions #2

Updated by Christophe ROCCHIETTA about 1 year ago

Is an SMB / CIFS client update already scheduled? If so, what date of availability is envisaged?

Actions #3

Updated by Gordon Ross about 1 year ago

  • Status changed from New to In Progress
  • Assignee set to Matt Barden

Note that while the native SMB service is not vulnerable to CVE-2020-1472, the new restrictions implemented by MS on their AD servers in response to that CVE will disable the particular variant of the NetLogon RPC service that the server currently uses.

We will need to implement integrity features in the NetLogon RPC client-side code in order to maintain compatibility with MS AD servers with the new restrictions. In the interim, customers should add their SMB servers to the list of servers exempt from the new restrictions. To do so, see this MS KB article:

https://go.microsoft.com/fwlink/?linkid=2133485 , particularly the group policy setting:
"Domain controller: Allow vulnerable Netlogon secure channel connections" group policy.

Note that the native SMB server already has integrity features at the SMB level (which is the "transport" below RPC for NetLogon)
but that's not sufficient for MS AD servers with the new restrictions.

Actions #4

Updated by Gordon Ross about 1 year ago

  • Subject changed from CVE-2020-1472 & SMB auth to CVE-2020-1472 (ZeroLogon) and SMB authentication
Actions #5

Updated by Christophe ROCCHIETTA about 1 year ago

Is a date scheduled for this compatibility with MS AD?
In my company, I don't manage domain controllers. My servers have been added to the list of exceptions, but this is only temporary. This list will be cleared by February 2021.

Actions #6

Updated by Electric Monk 11 months ago

  • Gerrit CR set to 1162
Actions #7

Updated by Matt Barden 10 months ago

Testing Notes:
Install, configure, and run the included libmlrpc-tests.
Connect to a domain-joined server, with both NTLM (ip-based) and Kerberos (FQDN-based) authentication, using a user who has both a few (e.g. 5) and many (e.g. 800) groups.
Run "smbutil view //'DOMAIN;user'@server", and verify the output, whether the server has a small or large (enough to cause the response to be fragmented) number of shares.

Actions #8

Updated by Electric Monk 10 months ago

  • Status changed from In Progress to Closed
  • % Done changed from 0 to 100

git commit ce8560eeb961d528e27685fcdd2ffb03e9478dbf

commit  ce8560eeb961d528e27685fcdd2ffb03e9478dbf
Author: Matt Barden <mbarden@tintri.com>
Date:   2021-01-30T19:02:54.000Z

    13169 CVE-2020-1472 (ZeroLogon) and SMB authentication
    Reviewed by: Joyce McIntosh <jmcintosh@tintri.com>
    Reviewed by: Evan Layton <elayton@tintri.com>
    Reviewed by: Gordon Ross <gordon.ross@tintri.com>
    Reviewed by: Prashanth Badari <prbadari@tintri.com>
    Reviewed by: Andy Fiddaman <andy@omnios.org>
    Reviewed by: C Fraire <cfraire@me.com>
    Approved by: Robert Mustacchi <rm@fingolfin.org>

Actions

Also available in: Atom PDF