ZeroLogon, a recently disclosed privilege escalation bug in Microsoft's Netlogon Remote Control Protocol for Domain Controllers (MS-NRPC), with a 10.0 out of 10 severity rating, also affects Linux systems.

The privilege escalation vulnerability is due to the insecure use of AES-CFB8 encryption for Netlogon sessions, which allows remote attackers to establish connection to the targeted domain controller over Netlogon Remote Protocol.

While Samba, an SMB networking protocol for Linux systems versions 4.8 (and above) are vulnerable if they have the "server schannel" parameter set to either "no" or "auto", which also, versions 4.7 and below are vulnerable if they've set up "server schannel = yes" in the smb.conf configuration file.

How ZeroLogon Vulnerability affects both Windows Server and Linux Systems



Zerologon is tracked as (CVE-2020-1472) and was discovered by Tom Tervoort of Secura, which privilege escalation vulnerability exists as a result of the insecure usage of AES-CFB8 encryption for Netlogon sessions, thus allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol (MS-NRPC).

The flaw exploits an authentication protocol that validates the identity and authenticity of a domain-joined computer to the Domain Controller, which due to the incorrect use of an AES mode of operation, makes it possible to spoof the identity of the computer account and set empty password for that account in the domain.



Also, an implementation of SMB networking protocol for Linux systems called Samba is vulnerable to the Zerologon flaw. With Samba versions 4.8 and above vulnerable if the "server schannel" parameter is set to either "no" or "auto"; and versions 4.7 and below are vulnerable if set as "server schannel = yes" in the smb.conf configuration file.

The Samba system messaging block file server is used as a domain controller for Windows networks, and is also susceptible to the CVE-2020-1472 ZeroLogon vulnerability, which vulnerability has a CVSS score of 10.0, and was first disclosed to the public as Microsoft released a patch in August.

How to Mitigate against the ZeroLogon Vulnerability



Microsoft is tackling the flaw in two stages, with the first patches released in August, and second phase includes the tightening up of NRP security with enforcement mode set to on by default.

The vendors of Samba are advised to add the settings as follows: for versions 4.8 and above the "server schannel" parameter should be set to either "no" or "auto"; while versions 4.7 and below set as "server schannel = yes" in the smb.conf configuration file. And users are recommended to update their software to the latest software from Microsoft as soon as possible.

ZeroLogon Vulnerability affecting SMB networking protocol for Linux systems

ZeroLogon, a recently disclosed privilege escalation bug in Microsoft's Netlogon Remote Control Protocol for Domain Controllers (MS-NRPC), with a 10.0 out of 10 severity rating, also affects Linux systems.

The privilege escalation vulnerability is due to the insecure use of AES-CFB8 encryption for Netlogon sessions, which allows remote attackers to establish connection to the targeted domain controller over Netlogon Remote Protocol.

While Samba, an SMB networking protocol for Linux systems versions 4.8 (and above) are vulnerable if they have the "server schannel" parameter set to either "no" or "auto", which also, versions 4.7 and below are vulnerable if they've set up "server schannel = yes" in the smb.conf configuration file.

How ZeroLogon Vulnerability affects both Windows Server and Linux Systems



Zerologon is tracked as (CVE-2020-1472) and was discovered by Tom Tervoort of Secura, which privilege escalation vulnerability exists as a result of the insecure usage of AES-CFB8 encryption for Netlogon sessions, thus allowing remote attackers to establish a connection to the targeted domain controller over Netlogon Remote Protocol (MS-NRPC).

The flaw exploits an authentication protocol that validates the identity and authenticity of a domain-joined computer to the Domain Controller, which due to the incorrect use of an AES mode of operation, makes it possible to spoof the identity of the computer account and set empty password for that account in the domain.



Also, an implementation of SMB networking protocol for Linux systems called Samba is vulnerable to the Zerologon flaw. With Samba versions 4.8 and above vulnerable if the "server schannel" parameter is set to either "no" or "auto"; and versions 4.7 and below are vulnerable if set as "server schannel = yes" in the smb.conf configuration file.

The Samba system messaging block file server is used as a domain controller for Windows networks, and is also susceptible to the CVE-2020-1472 ZeroLogon vulnerability, which vulnerability has a CVSS score of 10.0, and was first disclosed to the public as Microsoft released a patch in August.

How to Mitigate against the ZeroLogon Vulnerability



Microsoft is tackling the flaw in two stages, with the first patches released in August, and second phase includes the tightening up of NRP security with enforcement mode set to on by default.

The vendors of Samba are advised to add the settings as follows: for versions 4.8 and above the "server schannel" parameter should be set to either "no" or "auto"; while versions 4.7 and below set as "server schannel = yes" in the smb.conf configuration file. And users are recommended to update their software to the latest software from Microsoft as soon as possible.

No comments