Univention Bugzilla – Bug 52041
[CVE-2020-1472] Zerologin impact on Samba in UCS
Last modified: 2020-09-23 18:13:56 CEST
According to upstream information, Samba is not affected when the server option 'server schannel = yes' is configured - this is the default in Samba and in UCS. https://bugzilla.samba.org/show_bug.cgi?id=14497 SDB article with more information and links: https://help.univention.com/t/16107
Tested with zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472 Default samba app installation is unaffected, with multiple runs of the tool (the way the test works has a 0.04% false negative chance). When configuring "server schannel = no" in smb.conf, the check reliably detects the vulnerability
Samba mailinglist announcement https://lists.samba.org/archive/samba-announce/2020/000534.html
As the default UCS configuration is secure, we can resolve this as worksforme. Further improvements from upstream will be incorporated in future samba versions in UCS.
A mitigation is available with Samba 4.10.18, see bug 52130