--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2020-1472.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Unauthenticated domain takeover via netlogon ("ZeroLogon")
+==
+==
+== CVE ID#: CVE-2020-1472
+==
+== Versions: Samba 4.0 and later
+==
+== Summary: An unauthenticated attacker on the network can gain
+== administrator access by exploiting a netlogon
+== protocol flaw.
+===========================================================
+
+===========
+Description
+===========
+
+The following applies to Samba used as domain controller only (most
+seriously the Active Directory DC, but also the classic/NT4-style DC).
+
+Installations running Samba as a file server only are not directly
+affected by this flaw, though they may need configuration changes to
+continue to talk to domain controllers (see "file servers and domain
+members" below).
+
+The netlogon protocol contains a flaw that allows an authentication
+bypass. This was reported and patched by Microsoft as CVE-2020-1472.
+Since the bug is a protocol level flaw, and Samba implements the
+protocol, Samba is also vulnerable.
+
+However, since version 4.8 (released in March 2018), the default
+behaviour of Samba has been to insist on a secure netlogon channel,
+which is a sufficient fix against the known exploits. This default is
+equivalent to having 'server schannel = yes' in the smb.conf.
+
+Therefore versions 4.8 and above are not vulnerable unless they have
+the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
+
+Samba versions 4.7 and below are vulnerable unless they have 'server
+schannel = yes' in the smb.conf.
+
+Note each domain controller needs the correct settings in its smb.conf.
+
+Vendors supporting Samba 4.7 and below are advised to patch their
+installations and packages to add this line to the [global] section if
+their smb.conf file.
+
+The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
+'FullSecureChannelProtection=1' registry key, the introduction of
+which we understand forms the core of Microsoft's fix.
+
+Consequences
+============
+
+The exploitation of this issue is by changing the a server password.
+In an AD domain changing a DC password allows full password database
+disclosure including the krbtgt password, unsalted MD4 password hash
+(the 'NT Hash') for each user, and the LM password hash if stored.
+(Via DRS replication).
+
+The krbtgt password allows the attacker to issue a 'golden ticket' to
+themselves and return to take over the domain at any point in the
+future.
+
+Other consequences includes disclosure of session keys, as well as
+general denial of service to the trust account selected.
+
+Samba NT4-like / classic domains
+================================
+
+In NT4-like domains Samba does not provide a replication service (this
+is done at lower layers, like OpenLDAP), but changing machine account
+passwords can allow the attacker limited rights, similar to any other
+member server or trusted domain. This includes disclosure of session
+keys and inter-domain trust passwords (only), as well as general
+denial of service to the domain member selected.
+
+Therefore while still real, the risk is lower in these domains than
+for the AD DC.
+
+File servers and domain members
+===============================
+
+File servers and domain members do not run the NETLOGON service in
+supported Samba versions and only need to ensure that they have not
+set 'client schannel = no' for continued operation against secured DCs
+such as Samba 4.8 and later and Windows DCs in 2021. Users running
+Samba as a file server should still patch to ensure the server-side
+mitigations (banning certain un-random values) do not very rarely
+impact service.
+
+Allow listed exceptions
+=======================
+
+Some domains employ third-party software that will not work with a
+'server schannel = yes'. For these cases patches are available that
+allow specific machines to use insecure netlogon. For example, the
+following smb.conf:
+
+ server schannel = yes
+ server require schannel:triceratops$ = no
+ server require schannel:greywacke$ = no
+
+will allow only "triceratops$" and "greywacke$" to avoid schannel.
+
+Exploitability of Samba despite 'server schannel = yes'
+=======================================================
+
+The published proof of concept exploit for this issue only attempts to
+authenticate to the NetLogon service but does not attempt a takeover of
+the domain.
+
+On domains with 'server schannel = yes', these tests claim to show a
+vulnerability against Samba despite being unable to access any
+privileged functionality.
+
+This Samba release adds additional server checks for the protocol
+attack in the client-specified challenge that provides some protection
+when 'server schannel = no/auto' and avoids this false-positive
+result.
+
+These server checks are identical to the server logic added by
+Microsoft for their patch for the Windows server code for
+CVE-2020-1472. The Samba Team would like to thank Microsoft for their
+disclosure of the method used to prevent the proof of concept exploit
+code from working against such a hardened server.
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing this defect are available at:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)
+
+==========
+Workaround
+==========
+
+Users of versions of Samba before 4.8 should set
+
+ server schannel = yes
+
+in their smb.conf and restart Samba (on all domain controllers!)
+
+Users of versions 4.8 and above should ensure their smb.conf either
+a) has the "server schannel = yes" line, or
+b) has no "server schannel" line.
+
+If in doubt, add "server schannel = yes" to your smb.conf.
+
+=======
+Credits
+=======
+
+This problem was originally discovered by Tom Tervoort of Secura,
+though it was not successfully reported to the Samba team before its
+public disclosure.
+
+Stefan Metzmacher made the changes to Samba 4.8 that preemptively
+dodge this bug in default installs.
+
+Andrew Bartlett, Gary Lockyer, Günther Deschner, Jeremy Allison, and
+Stefan Metzmacher have triaged the bug and written patches and tests.
+
+This advisory written by Andrew Bartlett and Douglas Bagnall.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>