== Subject:     Unauthenticated domain takeover via netlogon ("ZeroLogon")
== CVE ID#:     CVE-2020-1472
== Versions:    Samba 4.0 and later
== Summary:     An unauthenticated attacker on the network can gain
==              administrator access by exploiting a netlogon
==              protocol flaw.


The following applies to Samba used as domain controller only (most
seriously the Active Directory DC, but also the classic/NT4-style DC).

Installations running Samba as a file server only are not directly
affected by this flaw, though they may need configuration changes to
continue to talk to domain controllers (see "file servers and domain
members" below).

The netlogon protocol contains a flaw that allows an authentication
bypass. This was reported and patched by Microsoft as CVE-2020-1472.
Since the bug is a protocol level flaw, and Samba implements the
protocol, Samba is also vulnerable.

However, since version 4.8 (released in March 2018), the default
behaviour of Samba has been to insist on a secure netlogon channel,
which is a sufficient fix against the known exploits. This default is
equivalent to having 'server schannel = yes' in the smb.conf.

Therefore versions 4.8 and above are not vulnerable unless they have
the smb.conf lines 'server schannel = no' or 'server schannel = auto'.

Samba versions 4.7 and below are vulnerable unless they have 'server
schannel = yes' in the smb.conf.

Note each domain controller needs the correct settings in its smb.conf.

Vendors supporting Samba 4.7 and below are advised to patch their
installations and packages to add this line to the [global] section if
their smb.conf file.

The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
'FullSecureChannelProtection=1' registry key, the introduction of
which we understand forms the core of Microsoft's fix.


The exploitation of this issue is by changing the a server password.
In an AD domain changing a DC password allows full password database
disclosure including the krbtgt password, unsalted MD4 password hash
(the 'NT Hash') for each user, and the LM password hash if stored.
(Via DRS replication).

The krbtgt password allows the attacker to issue a 'golden ticket' to
themselves and return to take over the domain at any point in the

Other consequences includes disclosure of session keys, as well as
general denial of service to the trust account selected.

Samba NT4-like / classic domains

In NT4-like domains Samba does not provide a replication service (this
is done at lower layers, like OpenLDAP), but changing machine account
passwords can allow the attacker limited rights, similar to any other
member server or trusted domain. This includes disclosure of session
keys and inter-domain trust passwords (only), as well as general
denial of service to the domain member selected.

Therefore while still real, the risk is lower in these domains than
for the AD DC.

File servers and domain members

File servers and domain members do not run the NETLOGON service in
supported Samba versions and only need to ensure that they have not
set 'client schannel = no' for continued operation against secured DCs
such as Samba 4.8 and later and Windows DCs in 2021. Users running
Samba as a file server should still patch to ensure the server-side
mitigations (banning certain un-random values) do not very rarely
impact service.

Allow listed exceptions

Some domains employ third-party software that will not work with a
'server schannel = yes'. For these cases patches are available that
allow specific machines to use insecure netlogon. For example, the
following smb.conf:

   server schannel = yes
   server require schannel:triceratops$ = no
   server require schannel:greywacke$ = no

will allow only "triceratops$" and "greywacke$" to avoid schannel.

Exploitability of Samba despite 'server schannel = yes'

The published proof of concept exploit for this issue only attempts to
authenticate to the NetLogon service but does not attempt a takeover of
the domain.

On domains with 'server schannel = yes', these tests claim to show a
vulnerability against Samba despite being unable to access any
privileged functionality.

This Samba release adds additional server checks for the protocol
attack in the client-specified challenge that provides some protection
when 'server schannel = no/auto' and avoids this false-positive

These server checks are identical to the server logic added by
Microsoft for their patch for the Windows server code for
CVE-2020-1472. The Samba Team would like to thank Microsoft for their
disclosure of the method used to prevent the proof of concept exploit
code from working against such a hardened server.

Patch Availability

Patches addressing this defect are available at:

Additionally, Samba 4.10.18, 4.11.13, and 4.12.7 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (9.8)


Users of versions of Samba before 4.8 should set

    server schannel = yes

in their smb.conf and restart Samba (on all domain controllers!)

Users of versions 4.8 and above should ensure their smb.conf either
a) has the "server schannel = yes" line, or
b) has no "server schannel" line.

If in doubt, add "server schannel = yes" to your smb.conf.


This problem was originally discovered by Tom Tervoort of Secura,
though it was not successfully reported to the Samba team before its
public disclosure.

Stefan Metzmacher made the changes to Samba 4.8 that preemptively
dodge this bug in default installs.

Andrew Bartlett, Gary Lockyer, G√ľnther Deschner, Jeremy Allison, and
Stefan Metzmacher have triaged the bug and written patches and tests.

This advisory written by Andrew Bartlett and Douglas Bagnall.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team