Samba project developers users that recently on Windows, the ZeroLogin vulnerability () and in a Samba-based domain controller implementation. Vulnerability flaws in the MS-NRPC protocol and the AES-CFB8 crypto algorithm, and if successfully exploited, allows an attacker to gain administrator access to a domain controller.
The essence of the vulnerability is that the MS-NRPC (Netlogon Remote Protocol) protocol allows, when exchanging authentication data, to fall back to using an RPC connection without encryption. An attacker can then use a flaw in the AES-CFB8 algorithm to fake (spoof) a successful login. It takes an average of 256 spoofing attempts to log in as an administrator. The attack does not require a work account on the domain controller - spoofing attempts can be made using an incorrect password. The NTLM authentication request will be redirected to the domain controller, which will return an access denied, but an attacker can spoof this response, and the attacked system will consider the login successful.
In Samba, the vulnerability appears only on systems that do not use the "server schannel = yes" setting, which is the default since Samba 4.8. In particular, systems with βserver schannel = noβ and βserver schannel = autoβ settings can be compromised, which allow Samba to use the same flaws in the AES-CFB8 algorithm as in Windows.
When using a Windows-prepared reference , only the ServerAuthenticate3 call works in Samba, and the ServerPasswordSet2 operation fails (the exploit needs to be adapted for Samba). About the performance of alternative exploits (, , , ) is not reported. Attack attempts on systems can be tracked by analyzing the presence of entries mentioning ServerAuthenticate3 and ServerPasswordSet in the Samba audit logs.
Source: opennet.ru