[Security Question] CVE-2020-1472 Samba vulnerability

[aghering]

I have a FreeNAS server with directory services configured and have SMB shares with ACL with LDAP / AD users and groups. I wonder if this vulnerability has an impact on my environment.
Are the developers aware of this CVE and is FreeNAS, in combination with Windows AD, vulnerable to this. In the event that it is the case, Are the developers currently working on this vulnerability or is this already fixed?

FreeNAS version: FreeNAS-11.3-U4.1

CVE Information
- http://www.vuxml.org/freebsd/24ace516-fad7-11ea-8d8c-005056a311d1.html
- https://www.samba.org/samba/security/CVE-2020-1472.html

 

[anodos]

We're not vulnerable. We don't even compile with the AD DC role. I'm bumping version though in U5 so that I don't get too many questions about this :)

 

[anodos]

From the samba security announcement you linked:

File servers and domain members
===============================

File servers and domain members do not run the NETLOGON service in
supported Samba versions and only need to ensure that they have not
set 'client schannel = no' for continued operation against secured DCs
such as Samba 4.8 and later and Windows DCs in 2021. Users running
Samba as a file server should still patch to ensure the server-side
mitigations (banning certain un-random values) do not very rarely
impact service.

 

[aghering]

@anodos great to know this isn't a problem for FreeNAS and AD environments and thanks for figuring it out.