Univention Bugzilla – Bug 52041
[CVE-2020-1472] Zerologin impact on Samba in UCS
Last modified: 2020-09-23 18:13:56 CEST
According to upstream information, Samba is not affected when the server option 'server schannel = yes' is configured - this is the default in Samba and in UCS.
SDB article with more information and links:
Tested with zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472
Default samba app installation is unaffected, with multiple runs of the tool (the way the test works has a 0.04% false negative chance).
When configuring "server schannel = no" in smb.conf, the check reliably detects the vulnerability
Samba mailinglist announcement
As the default UCS configuration is secure, we can resolve this as worksforme. Further improvements from upstream will be incorporated in future samba versions in UCS.
A mitigation is available with Samba 4.10.18, see bug 52130