Samba Badlock is specifically a Samba vulnerability, but Centrify itself uses those RPC subprotocols via 'adsmb', Has the adsmb component been tested against the vulnerabilities associated with Samba? Is there an assurance that the Samba related issues due to SMB protocol vulnerability are not present in adsmb?
Answer:
To answer the above question, Engineering assured the following:
adsmb does not use DCE-RPC at all. It uses SMB transport directly (note that DCE-RPC is on top of SMB). There fore the issue with RPC is not relevant.
adsmb uses kerberos authentication to establish connection with DC or Samba server.
adsmb enforces SMB signing, it will close connection on signature mismatch.
DirectControl always enforces LDAP integrity, by default we use LDAP privacy (encrypted).
All the vulnerability involves attacking server by using some hi-jacking mechanism to dumb protocol down, for example, not require signing, or connect without credential. On the server end (Domain Controller and Samba) this is fixed by Samba.org and Microsoft.
Please note on the following circumstances:
If customer is running Centrify DirectControl version 5.3.0 and lower, Support recommend to upgrade to Suite 2016.1 (CDC 5.3.1) where there is bug fix for SMB signing area.
SMB3 (encrypted SMB) and Kerberos Armoring (FAST) is currently NOT supported in Suite 2016.1 and earlier releases, Centrify Engineering are working on Kerberos library upgrade in Suite 2017 in order to support these 2 features.