Bug 52041 - [CVE-2020-1472] Zerologin impact on Samba in UCS
[CVE-2020-1472] Zerologin impact on Samba in UCS
Product: UCS
Classification: Unclassified
Component: Samba
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Erik Damrose
Arvid Requate
Depends on:
  Show dependency treegraph
Reported: 2020-09-16 12:16 CEST by Erik Damrose
Modified: 2020-09-23 18:13 CEST (History)
1 user (show)

See Also:
What kind of report is it?: Development Internal
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:


Note You need to log in before you can comment on or make changes to this bug.
Description Erik Damrose univentionstaff 2020-09-16 12:16:24 CEST
According to upstream information, Samba is not affected when the server option 'server schannel = yes' is configured - this is the default in Samba and in UCS.


SDB article with more information and links:
Comment 1 Erik Damrose univentionstaff 2020-09-16 12:29:51 CEST
Tested with zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472

Default samba app installation is unaffected, with multiple runs of the tool (the way the test works has a 0.04% false negative chance).

When configuring "server schannel = no" in smb.conf, the check reliably detects the vulnerability
Comment 2 Erik Damrose univentionstaff 2020-09-16 15:40:04 CEST
Samba mailinglist announcement
Comment 3 Erik Damrose univentionstaff 2020-09-17 17:39:24 CEST
As the default UCS configuration is secure, we can resolve this as worksforme. Further improvements from upstream will be incorporated in future samba versions in UCS.
Comment 4 Erik Damrose univentionstaff 2020-09-23 18:13:56 CEST
A mitigation is available with Samba 4.10.18, see bug 52130