|
 |
cb0e04 |
From e39dcc08705f0bf59a57ad835821cef41ec8b1e6 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
Date: Tue, 6 Dec 2022 16:00:36 +0100
|
|
|
cb0e04 |
Subject: [PATCH 01/30] CVE-2022-38023 docs-xml: improve wording for several
|
|
|
cb0e04 |
options: "takes precedence" -> "overrides"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
|
|
|
cb0e04 |
4 files changed, 4 insertions(+), 4 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
index 41684ef10805..0bb9f6f6c8ec 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
@@ -10,7 +10,7 @@
|
|
|
cb0e04 |
<para>You can set this to yes if all domain members support aes.
|
|
|
cb0e04 |
This will prevent downgrade attacks.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
|
|
|
cb0e04 |
+ <para>This option overrides the 'allow nt4 crypto' option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">no</value>
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
index b682d086f76b..79e4e73a95c9 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
@@ -59,7 +59,7 @@
|
|
|
cb0e04 |
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<programlisting>
|
|
|
cb0e04 |
server require schannel:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
index 37656293aa47..151b4676c57b 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
@@ -15,7 +15,7 @@
|
|
|
cb0e04 |
<para>The behavior can be controlled per netbios domain
|
|
|
cb0e04 |
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">no</value>
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
index 4db62bfb02db..b17620ec8f1d 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
@@ -19,7 +19,7 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">yes</value>
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 75fcaa4792afde7599d23316788ce8bbf780fe8a Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
Date: Tue, 6 Dec 2022 16:05:26 +0100
|
|
|
cb0e04 |
Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several
|
|
|
cb0e04 |
options: "yields precedence" -> "is over-riden"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
|
|
|
cb0e04 |
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
|
|
|
cb0e04 |
5 files changed, 5 insertions(+), 5 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
index 03dc8fa93f72..06afcef73b1b 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
@@ -18,7 +18,7 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the 'reject md5 clients' option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">no</value>
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
|
|
|
cb0e04 |
index 03531adbfb36..8bccab391cc2 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
|
|
|
cb0e04 |
@@ -15,7 +15,7 @@
|
|
|
cb0e04 |
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
|
|
|
cb0e04 |
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option yields precedence to the implementation specific restrictions.
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the implementation specific restrictions.
|
|
|
cb0e04 |
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
|
|
|
cb0e04 |
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
|
|
|
cb0e04 |
index 5b07da95050c..d124ad481818 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/security/clientschannel.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
|
|
|
cb0e04 |
@@ -23,7 +23,7 @@
|
|
|
cb0e04 |
<para>Note that for active directory domains this is hardcoded to
|
|
|
cb0e04 |
<smbconfoption name="client schannel">yes</smbconfoption>.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
<value type="default">yes</value>
|
|
|
cb0e04 |
<value type="example">auto</value>
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
index 79e4e73a95c9..3e66df1c2032 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
@@ -23,7 +23,7 @@
|
|
|
cb0e04 |
<para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
index b17620ec8f1d..9c1c1d7af148 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
|
|
|
cb0e04 |
@@ -17,7 +17,7 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>Note for active directory domain this option is hardcoded to 'yes'</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From cbf7cf691860d92c1890009b639a1fd495cf1cf2 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 14:46:59 +0100
|
|
|
cb0e04 |
Subject: [PATCH 03/30] CVE-2022-38023 libcli/auth: pass lp_ctx to
|
|
|
cb0e04 |
netlogon_creds_cli_set_global_db()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
libcli/auth/netlogon_creds_cli.c | 3 ++-
|
|
|
cb0e04 |
libcli/auth/netlogon_creds_cli.h | 2 +-
|
|
|
cb0e04 |
source3/rpc_client/cli_netlogon.c | 2 +-
|
|
|
cb0e04 |
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
|
|
|
cb0e04 |
4 files changed, 5 insertions(+), 4 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
index e92a042c0120..030191174dca 100644
|
|
|
cb0e04 |
--- a/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
@@ -202,7 +202,8 @@ static NTSTATUS netlogon_creds_cli_context_common(
|
|
|
cb0e04 |
|
|
|
cb0e04 |
static struct db_context *netlogon_creds_cli_global_db;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
|
|
|
cb0e04 |
+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
|
|
|
cb0e04 |
+ struct db_context **db)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
if (netlogon_creds_cli_global_db != NULL) {
|
|
|
cb0e04 |
return NT_STATUS_INVALID_PARAMETER_MIX;
|
|
|
cb0e04 |
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
index 6f40a46aa0a6..d10197c2d2af 100644
|
|
|
cb0e04 |
--- a/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
+++ b/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
@@ -31,7 +31,7 @@ struct messaging_context;
|
|
|
cb0e04 |
struct dcerpc_binding_handle;
|
|
|
cb0e04 |
struct db_context;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
|
|
|
cb0e04 |
+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db);
|
|
|
cb0e04 |
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
|
|
|
cb0e04 |
void netlogon_creds_cli_close_global_db(void);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
|
|
|
cb0e04 |
index 50dae9d7f3eb..18664e8b91af 100644
|
|
|
cb0e04 |
--- a/source3/rpc_client/cli_netlogon.c
|
|
|
cb0e04 |
+++ b/source3/rpc_client/cli_netlogon.c
|
|
|
cb0e04 |
@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
|
|
|
cb0e04 |
return NT_STATUS_NO_MEMORY;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- status = netlogon_creds_cli_set_global_db(&global_db);
|
|
|
cb0e04 |
+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
return status;
|
|
|
cb0e04 |
diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c
|
|
|
cb0e04 |
index f28cad527dfb..a2e1952e434c 100644
|
|
|
cb0e04 |
--- a/source3/utils/destroy_netlogon_creds_cli.c
|
|
|
cb0e04 |
+++ b/source3/utils/destroy_netlogon_creds_cli.c
|
|
|
cb0e04 |
@@ -82,7 +82,7 @@ int main(int argc, const char *argv[])
|
|
|
cb0e04 |
goto done;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- status = netlogon_creds_cli_set_global_db(&global_db);
|
|
|
cb0e04 |
+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
fprintf(stderr,
|
|
|
cb0e04 |
"netlogon_creds_cli_set_global_db failed: %s\n",
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 2c4f9869b208cfd969607248420e36e3bd4aecfa Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 14:47:33 +0100
|
|
|
cb0e04 |
Subject: [PATCH 04/30] CVE-2022-38023 libcli/auth: add/use
|
|
|
cb0e04 |
netlogon_creds_cli_warn_options()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This warns the admin about insecure options
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
|
|
|
cb0e04 |
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
|
|
|
cb0e04 |
getpid()]
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++
|
|
|
cb0e04 |
libcli/auth/netlogon_creds_cli.h | 2 +
|
|
|
cb0e04 |
2 files changed, 68 insertions(+)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
index 030191174dca..3794d8b6b6ef 100644
|
|
|
cb0e04 |
--- a/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
@@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db;
|
|
|
cb0e04 |
NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
|
|
|
cb0e04 |
struct db_context **db)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
+ netlogon_creds_cli_warn_options(lp_ctx);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (netlogon_creds_cli_global_db != NULL) {
|
|
|
cb0e04 |
return NT_STATUS_INVALID_PARAMETER_MIX;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
|
|
|
cb0e04 |
struct db_context *global_db;
|
|
|
cb0e04 |
int hash_size, tdb_flags;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ netlogon_creds_cli_warn_options(lp_ctx);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (netlogon_creds_cli_global_db != NULL) {
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void)
|
|
|
cb0e04 |
TALLOC_FREE(netlogon_creds_cli_global_db);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
|
|
|
cb0e04 |
+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
|
|
|
cb0e04 |
+ int global_client_schannel = lpcfg_client_schannel(lp_ctx);
|
|
|
cb0e04 |
+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
|
|
|
cb0e04 |
+ static bool warned_global_reject_md5_servers = false;
|
|
|
cb0e04 |
+ static bool warned_global_require_strong_key = false;
|
|
|
cb0e04 |
+ static bool warned_global_client_schannel = false;
|
|
|
cb0e04 |
+ static bool warned_global_seal_secure_channel = false;
|
|
|
cb0e04 |
+ static int warned_global_pid = 0;
|
|
|
cb0e04 |
+ int current_pid = getpid();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (warned_global_pid != current_pid) {
|
|
|
cb0e04 |
+ warned_global_reject_md5_servers = false;
|
|
|
cb0e04 |
+ warned_global_require_strong_key = false;
|
|
|
cb0e04 |
+ warned_global_client_schannel = false;
|
|
|
cb0e04 |
+ warned_global_seal_secure_channel = false;
|
|
|
cb0e04 |
+ warned_global_pid = current_pid;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'reject md5 servers = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_reject_md5_servers = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!global_require_strong_key && !warned_global_require_strong_key) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'require strong key = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_require_strong_key = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (global_client_schannel != true && !warned_global_client_schannel) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'client schannel = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_client_schannel = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'winbind sealed pipes = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_seal_secure_channel = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
|
cb0e04 |
struct messaging_context *msg_ctx,
|
|
|
cb0e04 |
const char *client_account,
|
|
|
cb0e04 |
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
index d10197c2d2af..600242e1aea7 100644
|
|
|
cb0e04 |
--- a/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
+++ b/libcli/auth/netlogon_creds_cli.h
|
|
|
cb0e04 |
@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
|
|
|
cb0e04 |
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
|
|
|
cb0e04 |
void netlogon_creds_cli_close_global_db(void);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
|
cb0e04 |
struct messaging_context *msg_ctx,
|
|
|
cb0e04 |
const char *client_account,
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 558c68e0915885ed77b3d02e52d93f4c64a0e20e Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 16:16:05 +0100
|
|
|
cb0e04 |
Subject: [PATCH 05/30] CVE-2022-38023 s3:net: add and use
|
|
|
cb0e04 |
net_warn_member_options() helper
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This makes sure domain member related 'net' commands print warnings
|
|
|
cb0e04 |
about unsecure smb.conf options.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source3/utils/net.c | 6 ++++++
|
|
|
cb0e04 |
source3/utils/net_ads.c | 14 ++++++++++++++
|
|
|
cb0e04 |
source3/utils/net_dom.c | 2 ++
|
|
|
cb0e04 |
source3/utils/net_join.c | 2 ++
|
|
|
cb0e04 |
source3/utils/net_offlinejoin.c | 2 ++
|
|
|
cb0e04 |
source3/utils/net_proto.h | 2 ++
|
|
|
cb0e04 |
source3/utils/net_rpc.c | 10 ++++++++++
|
|
|
cb0e04 |
source3/utils/net_util.c | 14 ++++++++++++++
|
|
|
cb0e04 |
8 files changed, 52 insertions(+)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source3/utils/net.c b/source3/utils/net.c
|
|
|
cb0e04 |
index e1e14743c117..b96d7f5d9d48 100644
|
|
|
cb0e04 |
--- a/source3/utils/net.c
|
|
|
cb0e04 |
+++ b/source3/utils/net.c
|
|
|
cb0e04 |
@@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
static int net_changetrustpw(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (net_ads_check_our_domain(c) == 0)
|
|
|
cb0e04 |
return net_ads_changetrustpw(c, argc, argv);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc,
|
|
|
cb0e04 |
return 1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (c->opt_stdin) {
|
|
|
cb0e04 |
set_line_buffering(stdin);
|
|
|
cb0e04 |
set_line_buffering(stdout);
|
|
|
cb0e04 |
@@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc,
|
|
|
cb0e04 |
return 1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if(c->opt_force) {
|
|
|
cb0e04 |
struct secrets_domain_info1 *info = NULL;
|
|
|
cb0e04 |
struct secrets_domain_info1_change *prev = NULL;
|
|
|
cb0e04 |
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
|
|
|
cb0e04 |
index d666f7fc3ec9..cc0d4a0d966c 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_ads.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_ads.c
|
|
|
cb0e04 |
@@ -1306,6 +1306,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (!ADS_ERR_OK(ads_startup(c, true, &ads))) {
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -1447,6 +1449,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c)
|
|
|
cb0e04 |
return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
net_use_krb_machine_account(c);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
|
|
|
cb0e04 |
@@ -1477,6 +1481,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
/* Display success or failure */
|
|
|
cb0e04 |
status = net_ads_join_ok(c);
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
@@ -1571,6 +1577,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
if (c->display_usage)
|
|
|
cb0e04 |
return net_ads_join_usage(c, argc, argv);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (!modify_config) {
|
|
|
cb0e04 |
|
|
|
cb0e04 |
werr = check_ads_config();
|
|
|
cb0e04 |
@@ -2505,6 +2513,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
net_use_krb_machine_account(c);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
use_in_memory_ccache();
|
|
|
cb0e04 |
@@ -2778,6 +2788,8 @@ static int net_ads_keytab_add(struct net_context *c,
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
d_printf(_("Processing principals to add...\n"));
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (!c->opt_user_specified && c->opt_password == NULL) {
|
|
|
cb0e04 |
@@ -2822,6 +2834,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (!c->opt_user_specified && c->opt_password == NULL) {
|
|
|
cb0e04 |
net_use_krb_machine_account(c);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c
|
|
|
cb0e04 |
index 13e65a933142..4b48e1566bc8 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_dom.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_dom.c
|
|
|
cb0e04 |
@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return net_dom_usage(c, argc, argv);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (c->opt_host) {
|
|
|
cb0e04 |
server_name = c->opt_host;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c
|
|
|
cb0e04 |
index 1493dff74d7b..f67f08f79a81 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_join.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_join.c
|
|
|
cb0e04 |
@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (net_ads_check_our_domain(c) == 0) {
|
|
|
cb0e04 |
if (net_ads_join(c, argc, argv) == 0)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c
|
|
|
cb0e04 |
index 03e5df0eace9..0cfd5fdfe235 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_offlinejoin.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_offlinejoin.c
|
|
|
cb0e04 |
@@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
status = libnetapi_net_init(&c->netapi_ctx);
|
|
|
cb0e04 |
if (status != 0) {
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
|
|
|
cb0e04 |
index b6ff639a0941..42096ba218d5 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_proto.h
|
|
|
cb0e04 |
+++ b/source3/utils/net_proto.h
|
|
|
cb0e04 |
@@ -442,6 +442,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv,
|
|
|
cb0e04 |
const char *whoami, struct functable *table);
|
|
|
cb0e04 |
void net_display_usage_from_functable(struct functable *table);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+void net_warn_member_options(void);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
const char *net_share_type_str(int num_type);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
NTSTATUS net_scan_dc(struct net_context *c,
|
|
|
cb0e04 |
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
|
|
|
cb0e04 |
index 97c0158d612f..16a541413d2e 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_rpc.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_rpc.c
|
|
|
cb0e04 |
@@ -371,6 +371,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
mem_ctx = talloc_init("net_rpc_oldjoin");
|
|
|
cb0e04 |
if (!mem_ctx) {
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
@@ -490,6 +492,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
mem_ctx = talloc_init("net_rpc_testjoin");
|
|
|
cb0e04 |
if (!mem_ctx) {
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
@@ -564,6 +568,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
mem_ctx = talloc_init("net_rpc_join_newstyle");
|
|
|
cb0e04 |
if (!mem_ctx) {
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
@@ -685,6 +691,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return -1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (strlen(lp_netbios_name()) > 15) {
|
|
|
cb0e04 |
d_printf(_("Our netbios name can be at most 15 chars long, "
|
|
|
cb0e04 |
"\"%s\" is %u chars long\n"),
|
|
|
cb0e04 |
@@ -815,6 +823,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv)
|
|
|
cb0e04 |
return 0;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ net_warn_member_options();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
return run_rpc_command(c, NULL, &ndr_table_samr,
|
|
|
cb0e04 |
NET_FLAGS_PDC, rpc_info_internals,
|
|
|
cb0e04 |
argc, argv);
|
|
|
cb0e04 |
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
|
|
|
cb0e04 |
index 298d9a64dc0c..f3b7755063bf 100644
|
|
|
cb0e04 |
--- a/source3/utils/net_util.c
|
|
|
cb0e04 |
+++ b/source3/utils/net_util.c
|
|
|
cb0e04 |
@@ -31,6 +31,7 @@
|
|
|
cb0e04 |
#include "libsmb/libsmb.h"
|
|
|
cb0e04 |
#include "lib/param/param.h"
|
|
|
cb0e04 |
#include "auth/gensec/gensec.h"
|
|
|
cb0e04 |
+#include "libcli/auth/netlogon_creds_cli.h"
|
|
|
cb0e04 |
#include "lib/cmdline/cmdline.h"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
NTSTATUS net_rpc_lookup_name(struct net_context *c,
|
|
|
cb0e04 |
@@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table)
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+void net_warn_member_options(void)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
+ struct loadparm_context *lp_ctx = NULL;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
|
|
|
cb0e04 |
+ if (lp_ctx != NULL) {
|
|
|
cb0e04 |
+ netlogon_creds_cli_warn_options(lp_ctx);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
const char *net_share_type_str(int num_type)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
switch(num_type) {
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 9172fa1fe342a13c773d14c73ffcaa9f9561cdc7 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 14:59:36 +0100
|
|
|
cb0e04 |
Subject: [PATCH 06/30] CVE-2022-38023 s3:winbindd: also allow per domain
|
|
|
cb0e04 |
"winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This avoids advising insecure defaults for the global options.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++-------
|
|
|
cb0e04 |
1 file changed, 33 insertions(+), 8 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
|
|
|
cb0e04 |
index 6c6dd88a5aa4..5532e0cd0cc8 100644
|
|
|
cb0e04 |
--- a/source3/winbindd/winbindd_cm.c
|
|
|
cb0e04 |
+++ b/source3/winbindd/winbindd_cm.c
|
|
|
cb0e04 |
@@ -2431,6 +2431,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|
|
cb0e04 |
bool retry = false; /* allow one retry attempt for expired session */
|
|
|
cb0e04 |
const char *remote_name = NULL;
|
|
|
cb0e04 |
const struct sockaddr_storage *remote_sockaddr = NULL;
|
|
|
cb0e04 |
+ bool sealed_pipes = true;
|
|
|
cb0e04 |
+ bool strong_key = true;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (sid_check_is_our_sam(&domain->sid)) {
|
|
|
cb0e04 |
if (domain->rodc == false || need_rw_dc == false) {
|
|
|
cb0e04 |
@@ -2610,14 +2612,24 @@ retry:
|
|
|
cb0e04 |
|
|
|
cb0e04 |
anonymous:
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ sealed_pipes = lp_winbind_sealed_pipes();
|
|
|
cb0e04 |
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
|
|
|
cb0e04 |
+ domain->name,
|
|
|
cb0e04 |
+ sealed_pipes);
|
|
|
cb0e04 |
+ strong_key = lp_require_strong_key();
|
|
|
cb0e04 |
+ strong_key = lp_parm_bool(-1, "require strong key",
|
|
|
cb0e04 |
+ domain->name,
|
|
|
cb0e04 |
+ strong_key);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
/* Finally fall back to anonymous. */
|
|
|
cb0e04 |
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
|
|
cb0e04 |
+ if (sealed_pipes || strong_key) {
|
|
|
cb0e04 |
status = NT_STATUS_DOWNGRADE_DETECTED;
|
|
|
cb0e04 |
DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
|
|
|
cb0e04 |
"without connection level security, "
|
|
|
cb0e04 |
- "must set 'winbind sealed pipes = false' and "
|
|
|
cb0e04 |
- "'require strong key = false' to proceed: %s\n",
|
|
|
cb0e04 |
- domain->name, nt_errstr(status)));
|
|
|
cb0e04 |
+ "must set 'winbind sealed pipes:%s = false' and "
|
|
|
cb0e04 |
+ "'require strong key:%s = false' to proceed: %s\n",
|
|
|
cb0e04 |
+ domain->name, domain->name, domain->name,
|
|
|
cb0e04 |
+ nt_errstr(status)));
|
|
|
cb0e04 |
goto done;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
|
|
|
cb0e04 |
@@ -2774,6 +2786,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
|
|
|
cb0e04 |
bool retry = false; /* allow one retry attempt for expired session */
|
|
|
cb0e04 |
const char *remote_name = NULL;
|
|
|
cb0e04 |
const struct sockaddr_storage *remote_sockaddr = NULL;
|
|
|
cb0e04 |
+ bool sealed_pipes = true;
|
|
|
cb0e04 |
+ bool strong_key = true;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
retry:
|
|
|
cb0e04 |
result = init_dc_connection_rpc(domain, false);
|
|
|
cb0e04 |
@@ -2935,13 +2949,24 @@ retry:
|
|
|
cb0e04 |
goto done;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
|
|
|
cb0e04 |
+ sealed_pipes = lp_winbind_sealed_pipes();
|
|
|
cb0e04 |
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
|
|
|
cb0e04 |
+ domain->name,
|
|
|
cb0e04 |
+ sealed_pipes);
|
|
|
cb0e04 |
+ strong_key = lp_require_strong_key();
|
|
|
cb0e04 |
+ strong_key = lp_parm_bool(-1, "require strong key",
|
|
|
cb0e04 |
+ domain->name,
|
|
|
cb0e04 |
+ strong_key);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /* Finally fall back to anonymous. */
|
|
|
cb0e04 |
+ if (sealed_pipes || strong_key) {
|
|
|
cb0e04 |
result = NT_STATUS_DOWNGRADE_DETECTED;
|
|
|
cb0e04 |
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
|
|
|
cb0e04 |
"without connection level security, "
|
|
|
cb0e04 |
- "must set 'winbind sealed pipes = false' and "
|
|
|
cb0e04 |
- "'require strong key = false' to proceed: %s\n",
|
|
|
cb0e04 |
- domain->name, nt_errstr(result)));
|
|
|
cb0e04 |
+ "must set 'winbind sealed pipes:%s = false' and "
|
|
|
cb0e04 |
+ "'require strong key:%s = false' to proceed: %s\n",
|
|
|
cb0e04 |
+ domain->name, domain->name, domain->name,
|
|
|
cb0e04 |
+ nt_errstr(result)));
|
|
|
cb0e04 |
goto done;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 434812f94ee12bdb55dbe8072702426f85610c02 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Thu, 24 Nov 2022 18:22:23 +0100
|
|
|
cb0e04 |
Subject: [PATCH 07/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
|
|
|
cb0e04 |
servers' default to yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
|
|
|
cb0e04 |
reason to allow md5 servers by default.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
|
|
|
cb0e04 |
but avoids confusion while reading the code. Check with:
|
|
|
cb0e04 |
|
|
|
cb0e04 |
git show -U35 libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++--
|
|
|
cb0e04 |
lib/param/loadparm.c | 1 +
|
|
|
cb0e04 |
libcli/auth/netlogon_creds_cli.c | 4 ++--
|
|
|
cb0e04 |
source3/param/loadparm.c | 1 +
|
|
|
cb0e04 |
4 files changed, 9 insertions(+), 4 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
index 151b4676c57b..3bc4eaf7b02e 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
|
|
|
cb0e04 |
@@ -13,10 +13,13 @@
|
|
|
cb0e04 |
This will prevent downgrade attacks.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>The behavior can be controlled per netbios domain
|
|
|
cb0e04 |
- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
|
|
|
cb0e04 |
+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
|
|
|
cb0e04 |
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-<value type="default">no</value>
|
|
|
cb0e04 |
+<value type="default">yes</value>
|
|
|
cb0e04 |
</samba:parameter>
|
|
|
cb0e04 |
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
|
cb0e04 |
index d6d845391e6f..e953499efba3 100644
|
|
|
cb0e04 |
--- a/lib/param/loadparm.c
|
|
|
cb0e04 |
+++ b/lib/param/loadparm.c
|
|
|
cb0e04 |
@@ -2666,6 +2666,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
|
|
|
cb0e04 |
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
|
|
|
cb0e04 |
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
|
|
|
cb0e04 |
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
index 3794d8b6b6ef..ca5619d38703 100644
|
|
|
cb0e04 |
--- a/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
|
cb0e04 |
@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
|
cb0e04 |
const char *client_computer;
|
|
|
cb0e04 |
uint32_t proposed_flags;
|
|
|
cb0e04 |
uint32_t required_flags = 0;
|
|
|
cb0e04 |
- bool reject_md5_servers = false;
|
|
|
cb0e04 |
- bool require_strong_key = false;
|
|
|
cb0e04 |
+ bool reject_md5_servers = true;
|
|
|
cb0e04 |
+ bool require_strong_key = true;
|
|
|
cb0e04 |
int require_sign_or_seal = true;
|
|
|
cb0e04 |
bool seal_secure_channel = true;
|
|
|
cb0e04 |
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
|
cb0e04 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
|
cb0e04 |
index 21e061939e3e..91747e09eccd 100644
|
|
|
cb0e04 |
--- a/source3/param/loadparm.c
|
|
|
cb0e04 |
+++ b/source3/param/loadparm.c
|
|
|
cb0e04 |
@@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
cb0e04 |
Globals.client_schannel = true;
|
|
|
cb0e04 |
Globals.winbind_sealed_pipes = true;
|
|
|
cb0e04 |
Globals.require_strong_key = true;
|
|
|
cb0e04 |
+ Globals.reject_md5_servers = true;
|
|
|
cb0e04 |
Globals.server_schannel = true;
|
|
|
cb0e04 |
Globals.read_raw = true;
|
|
|
cb0e04 |
Globals.write_raw = true;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 8ccaf7d47ad13313c7a80ac5f857425080d5fbab Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Tue, 6 Dec 2022 10:56:29 +0100
|
|
|
cb0e04 |
Subject: [PATCH 08/30] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel
|
|
|
cb0e04 |
!= yes' warning to dcesrv_interface_netlogon_bind
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This will simplify the following changes.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++--------
|
|
|
cb0e04 |
1 file changed, 15 insertions(+), 11 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index cfd6d148b0a3..f63c3981f749 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -63,6 +63,21 @@
|
|
|
cb0e04 |
static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
|
|
|
cb0e04 |
const struct dcesrv_interface *iface)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
+ int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
+ bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
+ static bool warned_global_schannel_once = false;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!schannel_global_required && !warned_global_schannel_once) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ D_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "Please configure 'server schannel = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
|
|
|
cb0e04 |
+ warned_global_schannel_once = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
return dcesrv_interface_bind_reject_connect(context, iface);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
uint16_t opnum = dce_call->pkt.u.request.opnum;
|
|
|
cb0e04 |
const char *opname = "<unknown>";
|
|
|
cb0e04 |
- static bool warned_global_once = false;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (opnum < ndr_table_netlogon.num_calls) {
|
|
|
cb0e04 |
opname = ndr_table_netlogon.calls[opnum].name;
|
|
|
cb0e04 |
@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (!schannel_global_required && !warned_global_once) {
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "Please configure 'server schannel = yes', "
|
|
|
cb0e04 |
- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
|
|
|
cb0e04 |
- warned_global_once = true;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"%s request (opnum[%u]) WITH schannel from "
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 268d1ac2f8ce3fb92a3433ada5e229d23c18c4f6 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Mon, 12 Dec 2022 14:03:50 +0100
|
|
|
cb0e04 |
Subject: [PATCH 09/30] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
|
|
|
cb0e04 |
variable to dcesrv_netr_creds_server_step_check()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This will simplify the following changes.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++---
|
|
|
cb0e04 |
1 file changed, 4 insertions(+), 3 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index f63c3981f749..43dcd7271729 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -636,8 +636,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
struct netr_Authenticator *return_authenticator,
|
|
|
cb0e04 |
struct netlogon_creds_CredentialState **creds_out)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
NTSTATUS nt_status;
|
|
|
cb0e04 |
- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
|
|
|
cb0e04 |
+ int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
bool schannel_required = schannel_global_required;
|
|
|
cb0e04 |
const char *explicit_opt = NULL;
|
|
|
cb0e04 |
@@ -653,7 +654,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
dcesrv_call_auth_info(dce_call, &auth_type, NULL);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
nt_status = schannel_check_creds_state(mem_ctx,
|
|
|
cb0e04 |
- dce_call->conn->dce_ctx->lp_ctx,
|
|
|
cb0e04 |
+ lp_ctx,
|
|
|
cb0e04 |
computer_name,
|
|
|
cb0e04 |
received_authenticator,
|
|
|
cb0e04 |
return_authenticator,
|
|
|
cb0e04 |
@@ -668,7 +669,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
* need the explicit_opt pointer in order to
|
|
|
cb0e04 |
* adjust the debug messages.
|
|
|
cb0e04 |
*/
|
|
|
cb0e04 |
- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
|
|
|
cb0e04 |
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
NULL,
|
|
|
cb0e04 |
"server require schannel",
|
|
|
cb0e04 |
creds->account_name);
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From e4d8f31296ab5f2013585039a6e47c1a4b826ea8 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Mon, 12 Dec 2022 14:03:50 +0100
|
|
|
cb0e04 |
Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add
|
|
|
cb0e04 |
talloc_stackframe() to dcesrv_netr_creds_server_step_check()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This will simplify the following changes.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++--------
|
|
|
cb0e04 |
1 file changed, 19 insertions(+), 13 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 43dcd7271729..95fd1526d5a5 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
struct netlogon_creds_CredentialState **creds_out)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
NTSTATUS nt_status;
|
|
|
cb0e04 |
int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
if (schannel_required) {
|
|
|
cb0e04 |
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
*creds_out = creds;
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
"%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
opname, opnum,
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name),
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->computer_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
- "'server require schannel:%s = no' is needed! \n",
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name));
|
|
|
cb0e04 |
+ "'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
TALLOC_FREE(creds);
|
|
|
cb0e04 |
ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
"%s request (opnum[%u]) WITH schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
opname, opnum,
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name),
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->computer_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"Option 'server require schannel:%s = no' not needed!?\n",
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*creds_out = creds;
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
"%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
opname, opnum,
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name),
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->computer_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
DBG_INFO("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"Option 'server require schannel:%s = no' still needed!\n",
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
opname, opnum,
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name),
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->computer_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
"'server require schannel:%s = no' might be needed!\n",
|
|
|
cb0e04 |
- log_escape(mem_ctx, creds->account_name));
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*creds_out = creds;
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 4e129119e3a2e1bfca623eb11d721329e53fba17 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 12:37:03 +0100
|
|
|
cb0e04 |
Subject: [PATCH 11/30] CVE-2022-38023 s4:rpc_server/netlogon: re-order
|
|
|
cb0e04 |
checking in dcesrv_netr_creds_server_step_check()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This will simplify the following changes.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++----------
|
|
|
cb0e04 |
1 file changed, 19 insertions(+), 22 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 95fd1526d5a5..33063942e161 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -678,13 +678,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
schannel_required = lp_bool(explicit_opt);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (schannel_required) {
|
|
|
cb0e04 |
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- *creds_out = creds;
|
|
|
cb0e04 |
- TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return NT_STATUS_OK;
|
|
|
cb0e04 |
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ if (!schannel_required) {
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) WITH schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
+ opname, opnum,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (explicit_opt != NULL && !schannel_required) {
|
|
|
cb0e04 |
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "Option 'server require schannel:%s = no' not needed!?\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ *creds_out = creds;
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return NT_STATUS_OK;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (schannel_required) {
|
|
|
cb0e04 |
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
@@ -701,23 +715,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "%s request (opnum[%u]) WITH schannel from "
|
|
|
cb0e04 |
- "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
- opname, opnum,
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
- log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "Option 'server require schannel:%s = no' not needed!?\n",
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- *creds_out = creds;
|
|
|
cb0e04 |
- TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return NT_STATUS_OK;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
if (explicit_opt != NULL) {
|
|
|
cb0e04 |
DBG_INFO("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 200da32d3573912098d68fd9b72f491317feb506 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 12:37:03 +0100
|
|
|
cb0e04 |
Subject: [PATCH 12/30] CVE-2022-38023 s4:rpc_server/netlogon: improve
|
|
|
cb0e04 |
CVE-2020-1472(ZeroLogon) debug messages
|
|
|
cb0e04 |
|
|
|
cb0e04 |
In order to avoid generating useless debug messages during make test,
|
|
|
cb0e04 |
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
|
|
|
cb0e04 |
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Review with: git show -w
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++-----
|
|
|
cb0e04 |
1 file changed, 106 insertions(+), 41 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 33063942e161..3c77d1302993 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -644,15 +644,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
bool schannel_required = schannel_global_required;
|
|
|
cb0e04 |
const char *explicit_opt = NULL;
|
|
|
cb0e04 |
struct netlogon_creds_CredentialState *creds = NULL;
|
|
|
cb0e04 |
+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ unsigned int dbg_lvl = DBGLVL_DEBUG;
|
|
|
cb0e04 |
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
|
cb0e04 |
uint16_t opnum = dce_call->pkt.u.request.opnum;
|
|
|
cb0e04 |
const char *opname = "<unknown>";
|
|
|
cb0e04 |
+ const char *reason = "<unknown>";
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (opnum < ndr_table_netlogon.num_calls) {
|
|
|
cb0e04 |
opname = ndr_table_netlogon.calls[opnum].name;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
|
|
|
cb0e04 |
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
|
|
cb0e04 |
+ reason = "WITH SEALED";
|
|
|
cb0e04 |
+ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
|
|
|
cb0e04 |
+ reason = "WITH SIGNED";
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ smb_panic("Schannel without SIGN/SEAL");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ reason = "WITHOUT";
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
nt_status = schannel_check_creds_state(mem_ctx,
|
|
|
cb0e04 |
lp_ctx,
|
|
|
cb0e04 |
@@ -679,62 +698,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- if (!schannel_required) {
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "%s request (opnum[%u]) WITH schannel from "
|
|
|
cb0e04 |
- "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
- opname, opnum,
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
- log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
+ nt_status = NT_STATUS_OK;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (explicit_opt != NULL && !schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
|
|
|
cb0e04 |
+ } else if (!schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(nt_status)));
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (explicit_opt != NULL && !schannel_required) {
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "Option 'server require schannel:%s = no' not needed!?\n",
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "Option 'server require schannel:%s = no' not needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*creds_out = creds;
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return NT_STATUS_OK;
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (schannel_required) {
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
- "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
- opname, opnum,
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
- log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
- "'server require schannel:%s = no' "
|
|
|
cb0e04 |
- "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ nt_status = NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(nt_status)));
|
|
|
cb0e04 |
+ if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = yes' "
|
|
|
cb0e04 |
+ "rejects access for client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_error_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
TALLOC_FREE(creds);
|
|
|
cb0e04 |
ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ nt_status = NT_STATUS_OK;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (explicit_opt != NULL) {
|
|
|
cb0e04 |
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
- "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
- opname, opnum,
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
- log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "Option 'server require schannel:%s = no' still needed!\n",
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
- "%s request (opnum[%u]) without schannel from "
|
|
|
cb0e04 |
- "client_account[%s] client_computer_name[%s]\n",
|
|
|
cb0e04 |
- opname, opnum,
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
- log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
- "'server require schannel:%s = no' might be needed!\n",
|
|
|
cb0e04 |
- log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(nt_status)));
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "still needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * admins should set
|
|
|
cb0e04 |
+ * server require schannel:COMPUTER$ = no
|
|
|
cb0e04 |
+ * in order to avoid the level 0 messages.
|
|
|
cb0e04 |
+ * Over time they can switch the global value
|
|
|
cb0e04 |
+ * to be strict.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_error_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "Please use 'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "for '%s' to avoid this warning!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*creds_out = creds;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 0038d0302c807bc76b073de3aeed13a29c1fc458 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 12:26:01 +0100
|
|
|
cb0e04 |
Subject: [PATCH 13/30] CVE-2022-38023 selftest:Samba4: avoid global 'server
|
|
|
cb0e04 |
schannel = auto'
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Instead of using the generic deprecated option use the specific
|
|
|
cb0e04 |
server require schannel:COMPUTERACCOUNT = no in order to allow
|
|
|
cb0e04 |
legacy tests for pass.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
selftest/target/Samba4.pm | 40 ++++++++++++++++++++++++++++++++++++---
|
|
|
cb0e04 |
1 file changed, 37 insertions(+), 3 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
index b004042738a7..d26022466c66 100755
|
|
|
cb0e04 |
--- a/selftest/target/Samba4.pm
|
|
|
cb0e04 |
+++ b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
@@ -1616,10 +1616,27 @@ sub provision_ad_dc_ntvfs($$$)
|
|
|
cb0e04 |
dsdb event notification = true
|
|
|
cb0e04 |
dsdb password event notification = true
|
|
|
cb0e04 |
dsdb group change notification = true
|
|
|
cb0e04 |
- server schannel = auto
|
|
|
cb0e04 |
# override the new SMB2 only default
|
|
|
cb0e04 |
client min protocol = CORE
|
|
|
cb0e04 |
server min protocol = LANMAN1
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel2\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel3\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel4\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel5\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel6\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel7\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel8\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel9\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel10\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel11\$ = no
|
|
|
cb0e04 |
+ server require schannel:torturetest\$ = no
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ # needed for 'samba.tests.auth_log' tests
|
|
|
cb0e04 |
+ server require schannel:LOCALDC\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
push (@{$extra_provision_options}, "--use-ntvfs");
|
|
|
cb0e04 |
my $ret = $self->provision($prefix,
|
|
|
cb0e04 |
@@ -1968,8 +1985,22 @@ sub provision_ad_dc($$$$$$$)
|
|
|
cb0e04 |
lpq cache time = 0
|
|
|
cb0e04 |
print notify backchannel = yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- server schannel = auto
|
|
|
cb0e04 |
- auth event notification = true
|
|
|
cb0e04 |
+ CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel2\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel3\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel4\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel5\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel6\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel7\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel8\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel9\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel10\$ = no
|
|
|
cb0e04 |
+ server require schannel:schannel11\$ = no
|
|
|
cb0e04 |
+ server require schannel:torturetest\$ = no
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ auth event notification = true
|
|
|
cb0e04 |
dsdb event notification = true
|
|
|
cb0e04 |
dsdb password event notification = true
|
|
|
cb0e04 |
dsdb group change notification = true
|
|
|
cb0e04 |
@@ -2658,6 +2689,9 @@ sub setup_ad_dc_smb1
|
|
|
cb0e04 |
[global]
|
|
|
cb0e04 |
client min protocol = CORE
|
|
|
cb0e04 |
server min protocol = LANMAN1
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ # needed for 'samba.tests.auth_log' tests
|
|
|
cb0e04 |
+ server require schannel:ADDCSMB1\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 76855044472bf75f75a204e0fe411b457478363c Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Mon, 28 Nov 2022 15:02:13 +0100
|
|
|
cb0e04 |
Subject: [PATCH 14/30] CVE-2022-38023 s4:torture: use
|
|
|
cb0e04 |
NETLOGON_NEG_SUPPORTS_AES by default
|
|
|
cb0e04 |
|
|
|
cb0e04 |
For generic tests we should use the best available features.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
And AES will be required by default soon.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/torture/ntp/ntp_signd.c | 2 +-
|
|
|
cb0e04 |
source4/torture/rpc/lsa.c | 4 ++--
|
|
|
cb0e04 |
source4/torture/rpc/netlogon.c | 24 ++++++++++++------------
|
|
|
cb0e04 |
source4/torture/rpc/samba3rpc.c | 15 ++++++++++++---
|
|
|
cb0e04 |
4 files changed, 27 insertions(+), 18 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
|
|
|
cb0e04 |
index 124c9604871b..6d482bfdee16 100644
|
|
|
cb0e04 |
--- a/source4/torture/ntp/ntp_signd.c
|
|
|
cb0e04 |
+++ b/source4/torture/ntp/ntp_signd.c
|
|
|
cb0e04 |
@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
|
|
|
cb0e04 |
uint32_t rid;
|
|
|
cb0e04 |
const char *machine_name;
|
|
|
cb0e04 |
const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
|
|
|
cb0e04 |
- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
struct sign_request sign_req;
|
|
|
cb0e04 |
struct signed_reply signed_reply;
|
|
|
cb0e04 |
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
|
|
|
cb0e04 |
index d430ee571081..d22546862d5b 100644
|
|
|
cb0e04 |
--- a/source4/torture/rpc/lsa.c
|
|
|
cb0e04 |
+++ b/source4/torture/rpc/lsa.c
|
|
|
cb0e04 |
@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
|
|
cb0e04 |
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
ok = check_pw_with_ServerAuthenticate3(p1, tctx,
|
|
|
cb0e04 |
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
server_name,
|
|
|
cb0e04 |
incoming_creds, &creds);
|
|
|
cb0e04 |
torture_assert_int_equal(tctx, ok, expected_result,
|
|
|
cb0e04 |
@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
|
|
|
cb0e04 |
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
ok = check_pw_with_ServerAuthenticate3(p2, tctx,
|
|
|
cb0e04 |
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
server_name,
|
|
|
cb0e04 |
incoming_creds, &creds);
|
|
|
cb0e04 |
torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
|
|
|
cb0e04 |
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
|
|
|
cb0e04 |
index 11f950d3aab4..2803dd13b467 100644
|
|
|
cb0e04 |
--- a/source4/torture/rpc/netlogon.c
|
|
|
cb0e04 |
+++ b/source4/torture/rpc/netlogon.c
|
|
|
cb0e04 |
@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
|
|
|
cb0e04 |
|
|
|
cb0e04 |
/* This allows the tests to continue against the more fussy windows 2008 */
|
|
|
cb0e04 |
if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
|
|
|
cb0e04 |
- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
credentials,
|
|
|
cb0e04 |
cli_credentials_get_secure_channel_type(credentials),
|
|
|
cb0e04 |
creds_out);
|
|
|
cb0e04 |
@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
|
|
|
cb0e04 |
"ServerAuthenticate3 failed");
|
|
|
cb0e04 |
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
creds = netlogon_creds_client_init(tctx, a.in.account_name,
|
|
|
cb0e04 |
a.in.computer_name,
|
|
|
cb0e04 |
a.in.secure_channel_type,
|
|
|
cb0e04 |
@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge(
|
|
|
cb0e04 |
const char *machine_name;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
cb0e04 |
struct netr_ServerAuthenticate2 a;
|
|
|
cb0e04 |
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
uint32_t out_negotiate_flags = 0;
|
|
|
cb0e04 |
const struct samr_Password *mach_password = NULL;
|
|
|
cb0e04 |
enum netr_SchannelType sec_chan_type = 0;
|
|
|
cb0e04 |
@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge(
|
|
|
cb0e04 |
const char *machine_name;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
cb0e04 |
struct netr_ServerAuthenticate2 a;
|
|
|
cb0e04 |
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
uint32_t out_negotiate_flags = 0;
|
|
|
cb0e04 |
const struct samr_Password *mach_password = NULL;
|
|
|
cb0e04 |
enum netr_SchannelType sec_chan_type = 0;
|
|
|
cb0e04 |
@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats(
|
|
|
cb0e04 |
const char *machine_name;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
cb0e04 |
struct netr_ServerAuthenticate2 a;
|
|
|
cb0e04 |
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
uint32_t out_negotiate_flags = 0;
|
|
|
cb0e04 |
const struct samr_Password *mach_password = NULL;
|
|
|
cb0e04 |
enum netr_SchannelType sec_chan_type = 0;
|
|
|
cb0e04 |
@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats(
|
|
|
cb0e04 |
const char *machine_name;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = p->binding_handle;
|
|
|
cb0e04 |
struct netr_ServerAuthenticate2 a;
|
|
|
cb0e04 |
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
uint32_t out_negotiate_flags = 0;
|
|
|
cb0e04 |
const struct samr_Password *mach_password = NULL;
|
|
|
cb0e04 |
enum netr_SchannelType sec_chan_type = 0;
|
|
|
cb0e04 |
@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros(
|
|
|
cb0e04 |
struct netr_CryptPassword new_password;
|
|
|
cb0e04 |
struct dcerpc_pipe *p = NULL;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = NULL;
|
|
|
cb0e04 |
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (!test_SetupCredentials2(
|
|
|
cb0e04 |
p1,
|
|
|
cb0e04 |
@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password(
|
|
|
cb0e04 |
struct netr_CryptPassword new_password;
|
|
|
cb0e04 |
struct dcerpc_pipe *p = NULL;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = NULL;
|
|
|
cb0e04 |
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
DATA_BLOB new_random_pass = data_blob_null;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (!test_SetupCredentials2(
|
|
|
cb0e04 |
@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password(
|
|
|
cb0e04 |
struct netr_CryptPassword new_password;
|
|
|
cb0e04 |
struct dcerpc_pipe *p = NULL;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = NULL;
|
|
|
cb0e04 |
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (!test_SetupCredentials2(
|
|
|
cb0e04 |
p1,
|
|
|
cb0e04 |
@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
|
|
|
cb0e04 |
struct dcerpc_pipe *p = NULL;
|
|
|
cb0e04 |
struct dcerpc_binding_handle *b = NULL;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
machine_credentials, &creds)) {
|
|
|
cb0e04 |
return false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
|
|
|
cb0e04 |
|
|
|
cb0e04 |
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
machine_credentials, &creds)) {
|
|
|
cb0e04 |
return false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -5560,7 +5560,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
|
|
|
cb0e04 |
|
|
|
cb0e04 |
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
|
|
|
cb0e04 |
+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
|
|
|
cb0e04 |
machine_credentials, &creds)) {
|
|
|
cb0e04 |
return false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
|
|
|
cb0e04 |
index ff5dc1d68003..ee8dac67dfa8 100644
|
|
|
cb0e04 |
--- a/source4/torture/rpc/samba3rpc.c
|
|
|
cb0e04 |
+++ b/source4/torture/rpc/samba3rpc.c
|
|
|
cb0e04 |
@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx,
|
|
|
cb0e04 |
goto done;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
|
|
|
cb0e04 |
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
|
|
|
cb0e04 |
E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
a.in.server_name = talloc_asprintf(
|
|
|
cb0e04 |
@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx,
|
|
|
cb0e04 |
E_md4hash(cli_credentials_get_password(user_creds),
|
|
|
cb0e04 |
pinfo.ntpassword.hash);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
logon.password = &pinfo;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We don't use this here:
|
|
|
cb0e04 |
+ *
|
|
|
cb0e04 |
+ * netlogon_creds_encrypt_samlogon_logon(creds_state,
|
|
|
cb0e04 |
+ * NetlogonInteractiveInformation,
|
|
|
cb0e04 |
+ * &logon);
|
|
|
cb0e04 |
+ *
|
|
|
cb0e04 |
+ * in order to detect bugs
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
r.in.logon_level = NetlogonInteractiveInformation;
|
|
|
cb0e04 |
r.in.logon = &logon;
|
|
|
cb0e04 |
r.out.return_authenticator = &return_authenticator;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 5a6eba6e6bf3cd87a5875634d82335b216bf1069 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 09:54:17 +0100
|
|
|
cb0e04 |
Subject: [PATCH 15/30] CVE-2022-38023 s4:rpc_server/netlogon: split out
|
|
|
cb0e04 |
dcesrv_netr_ServerAuthenticate3_check_downgrade()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
|
|
|
cb0e04 |
which means we'll need the downgrade detection in more places.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++--------
|
|
|
cb0e04 |
1 file changed, 67 insertions(+), 47 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 3c77d1302993..87e4bbe00f2d 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -125,6 +125,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ struct netr_ServerAuthenticate3 *r,
|
|
|
cb0e04 |
+ struct netlogon_server_pipe_state *pipe_state,
|
|
|
cb0e04 |
+ uint32_t negotiate_flags,
|
|
|
cb0e04 |
+ NTSTATUS orig_status)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
|
|
|
cb0e04 |
+ bool reject_des_client = !allow_nt4_crypto;
|
|
|
cb0e04 |
+ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
|
|
|
cb0e04 |
+ reject_des_client = false;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
|
cb0e04 |
+ reject_des_client = false;
|
|
|
cb0e04 |
+ reject_md5_client = false;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (reject_des_client || reject_md5_client) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * Here we match Windows 2012 and return no flags.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ *r->out.negotiate_flags = 0;
|
|
|
cb0e04 |
+ return NT_STATUS_DOWNGRADE_DETECTED;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * This talloc_free is important to prevent re-use of the
|
|
|
cb0e04 |
+ * challenge. We have to delay it this far due to NETApp
|
|
|
cb0e04 |
+ * servers per:
|
|
|
cb0e04 |
+ * https://bugzilla.samba.org/show_bug.cgi?id=11291
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ TALLOC_FREE(pipe_state);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * At this point we must also cleanup the TDB cache
|
|
|
cb0e04 |
+ * entry, if we fail the client needs to call
|
|
|
cb0e04 |
+ * netr_ServerReqChallenge again.
|
|
|
cb0e04 |
+ *
|
|
|
cb0e04 |
+ * Note: this handles a non existing record just fine,
|
|
|
cb0e04 |
+ * the r->in.computer_name might not be the one used
|
|
|
cb0e04 |
+ * in netr_ServerReqChallenge(), but we are trying to
|
|
|
cb0e04 |
+ * just tidy up the normal case to prevent re-use.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
|
|
|
cb0e04 |
+ r->in.computer_name);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * According to Microsoft (see bugid #6099)
|
|
|
cb0e04 |
+ * Windows 7 looks at the negotiate_flags
|
|
|
cb0e04 |
+ * returned in this structure *even if the
|
|
|
cb0e04 |
+ * call fails with access denied!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ *r->out.negotiate_flags = negotiate_flags;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ return orig_status;
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* Do the actual processing of a netr_ServerAuthenticate3 message.
|
|
|
cb0e04 |
* called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
|
|
|
cb0e04 |
@@ -152,11 +213,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
"objectSid", "samAccountName", NULL};
|
|
|
cb0e04 |
uint32_t server_flags = 0;
|
|
|
cb0e04 |
uint32_t negotiate_flags = 0;
|
|
|
cb0e04 |
- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
|
|
|
cb0e04 |
- bool reject_des_client = !allow_nt4_crypto;
|
|
|
cb0e04 |
- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
ZERO_STRUCTP(r->out.return_credentials);
|
|
|
cb0e04 |
+ *r->out.negotiate_flags = 0;
|
|
|
cb0e04 |
*r->out.rid = 0;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
pipe_state = dcesrv_iface_state_find_conn(dce_call,
|
|
|
cb0e04 |
@@ -243,52 +302,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
|
|
|
cb0e04 |
negotiate_flags = *r->in.negotiate_flags & server_flags;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
|
|
|
cb0e04 |
- reject_des_client = false;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
|
cb0e04 |
- reject_des_client = false;
|
|
|
cb0e04 |
- reject_md5_client = false;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- if (reject_des_client || reject_md5_client) {
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * Here we match Windows 2012 and return no flags.
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- *r->out.negotiate_flags = 0;
|
|
|
cb0e04 |
- return NT_STATUS_DOWNGRADE_DETECTED;
|
|
|
cb0e04 |
+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_OK);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * This talloc_free is important to prevent re-use of the
|
|
|
cb0e04 |
- * challenge. We have to delay it this far due to NETApp
|
|
|
cb0e04 |
- * servers per:
|
|
|
cb0e04 |
- * https://bugzilla.samba.org/show_bug.cgi?id=11291
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- TALLOC_FREE(pipe_state);
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * At this point we must also cleanup the TDB cache
|
|
|
cb0e04 |
- * entry, if we fail the client needs to call
|
|
|
cb0e04 |
- * netr_ServerReqChallenge again.
|
|
|
cb0e04 |
- *
|
|
|
cb0e04 |
- * Note: this handles a non existing record just fine,
|
|
|
cb0e04 |
- * the r->in.computer_name might not be the one used
|
|
|
cb0e04 |
- * in netr_ServerReqChallenge(), but we are trying to
|
|
|
cb0e04 |
- * just tidy up the normal case to prevent re-use.
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
|
|
|
cb0e04 |
- r->in.computer_name);
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * According to Microsoft (see bugid #6099)
|
|
|
cb0e04 |
- * Windows 7 looks at the negotiate_flags
|
|
|
cb0e04 |
- * returned in this structure *even if the
|
|
|
cb0e04 |
- * call fails with access denied!
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- *r->out.negotiate_flags = negotiate_flags;
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
switch (r->in.secure_channel_type) {
|
|
|
cb0e04 |
case SEC_CHAN_WKSTA:
|
|
|
cb0e04 |
case SEC_CHAN_DNS_DOMAIN:
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 267a886bcdf3b502d83a3470e9d5b51191210153 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 10:10:33 +0100
|
|
|
cb0e04 |
Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if
|
|
|
cb0e04 |
weak crypto is disabled
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++
|
|
|
cb0e04 |
source4/torture/rpc/netlogon_crypto.c | 2 +-
|
|
|
cb0e04 |
2 files changed, 10 insertions(+), 1 deletion(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 87e4bbe00f2d..4141cc40687f 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
bool reject_des_client = !allow_nt4_crypto;
|
|
|
cb0e04 |
bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * If weak cryto is disabled, do not announce that we support RC4.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
|
cb0e04 |
+ /* Without RC4 and DES we require AES */
|
|
|
cb0e04 |
+ reject_des_client = true;
|
|
|
cb0e04 |
+ reject_md5_client = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
|
|
|
cb0e04 |
reject_des_client = false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c
|
|
|
cb0e04 |
index 05beb2b77b3b..85844604ee27 100644
|
|
|
cb0e04 |
--- a/source4/torture/rpc/netlogon_crypto.c
|
|
|
cb0e04 |
+++ b/source4/torture/rpc/netlogon_crypto.c
|
|
|
cb0e04 |
@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
|
|
|
cb0e04 |
force_client_rc4) {
|
|
|
cb0e04 |
torture_assert_ntstatus_equal(tctx,
|
|
|
cb0e04 |
a.out.result,
|
|
|
cb0e04 |
- NT_STATUS_ACCESS_DENIED,
|
|
|
cb0e04 |
+ NT_STATUS_DOWNGRADE_DETECTED,
|
|
|
cb0e04 |
"Unexpected status code");
|
|
|
cb0e04 |
return false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 2b4abfc0bf48e89cd93f97f9afcff23e932f427b Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Thu, 24 Nov 2022 18:26:18 +0100
|
|
|
cb0e04 |
Subject: [PATCH 17/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
|
|
|
cb0e04 |
clients' default to yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
|
|
|
cb0e04 |
so there's no reason to allow md5 clients by default.
|
|
|
cb0e04 |
However some third party domain members may need it.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++---
|
|
|
cb0e04 |
lib/param/loadparm.c | 1 +
|
|
|
cb0e04 |
selftest/target/Samba4.pm | 4 ++++
|
|
|
cb0e04 |
source3/param/loadparm.c | 1 +
|
|
|
cb0e04 |
4 files changed, 14 insertions(+), 3 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
index 0bb9f6f6c8ec..edcbe02e99a3 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
@@ -7,11 +7,16 @@
|
|
|
cb0e04 |
only in 'active directory domain controller' mode), will
|
|
|
cb0e04 |
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>You can set this to yes if all domain members support aes.
|
|
|
cb0e04 |
- This will prevent downgrade attacks.</para>
|
|
|
cb0e04 |
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
|
|
|
cb0e04 |
+ starting with Server 2008R2 and Windows 7, it's available in Samba
|
|
|
cb0e04 |
+ starting with 4.0, however third party domain members like NetApp ONTAP
|
|
|
cb0e04 |
+ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
|
|
|
cb0e04 |
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option overrides the 'allow nt4 crypto' option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-<value type="default">no</value>
|
|
|
cb0e04 |
+<value type="default">yes</value>
|
|
|
cb0e04 |
</samba:parameter>
|
|
|
cb0e04 |
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
|
cb0e04 |
index e953499efba3..2b644ee97c02 100644
|
|
|
cb0e04 |
--- a/lib/param/loadparm.c
|
|
|
cb0e04 |
+++ b/lib/param/loadparm.c
|
|
|
cb0e04 |
@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
|
|
|
cb0e04 |
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
index d26022466c66..fb63bbeff059 100755
|
|
|
cb0e04 |
--- a/selftest/target/Samba4.pm
|
|
|
cb0e04 |
+++ b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
@@ -1620,6 +1620,8 @@ sub provision_ad_dc_ntvfs($$$)
|
|
|
cb0e04 |
client min protocol = CORE
|
|
|
cb0e04 |
server min protocol = LANMAN1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ reject md5 clients = no
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
@@ -1985,6 +1987,8 @@ sub provision_ad_dc($$$$$$$)
|
|
|
cb0e04 |
lpq cache time = 0
|
|
|
cb0e04 |
print notify backchannel = yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ reject md5 clients = no
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
|
cb0e04 |
index 91747e09eccd..28ce4de6dd67 100644
|
|
|
cb0e04 |
--- a/source3/param/loadparm.c
|
|
|
cb0e04 |
+++ b/source3/param/loadparm.c
|
|
|
cb0e04 |
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
cb0e04 |
Globals.require_strong_key = true;
|
|
|
cb0e04 |
Globals.reject_md5_servers = true;
|
|
|
cb0e04 |
Globals.server_schannel = true;
|
|
|
cb0e04 |
+ Globals.reject_md5_clients = true;
|
|
|
cb0e04 |
Globals.read_raw = true;
|
|
|
cb0e04 |
Globals.write_raw = true;
|
|
|
cb0e04 |
Globals.null_passwords = false;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From d05bde2dfe40483b9f31a94a8d475f628f7aa1e3 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 10:31:08 +0100
|
|
|
cb0e04 |
Subject: [PATCH 18/30] CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade
|
|
|
cb0e04 |
check until we found the account in our SAM
|
|
|
cb0e04 |
|
|
|
cb0e04 |
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
|
|
|
cb0e04 |
which means we'll need use the account name from our SAM.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------
|
|
|
cb0e04 |
1 file changed, 53 insertions(+), 23 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 4141cc40687f..e39a530fd7f5 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -311,13 +311,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
|
|
|
cb0e04 |
negotiate_flags = *r->in.negotiate_flags & server_flags;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
- dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
- NT_STATUS_OK);
|
|
|
cb0e04 |
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
switch (r->in.secure_channel_type) {
|
|
|
cb0e04 |
case SEC_CHAN_WKSTA:
|
|
|
cb0e04 |
case SEC_CHAN_DNS_DOMAIN:
|
|
|
cb0e04 |
@@ -326,16 +319,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
case SEC_CHAN_RODC:
|
|
|
cb0e04 |
break;
|
|
|
cb0e04 |
case SEC_CHAN_NULL:
|
|
|
cb0e04 |
- return NT_STATUS_INVALID_PARAMETER;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_INVALID_PARAMETER);
|
|
|
cb0e04 |
default:
|
|
|
cb0e04 |
DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
|
|
|
cb0e04 |
r->in.secure_channel_type));
|
|
|
cb0e04 |
- return NT_STATUS_INVALID_PARAMETER;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_INVALID_PARAMETER);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
|
|
|
cb0e04 |
if (sam_ctx == NULL) {
|
|
|
cb0e04 |
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_INVALID_SYSTEM_SERVICE);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
|
|
|
cb0e04 |
@@ -364,16 +363,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
encoded_name = ldb_binary_encode_string(mem_ctx,
|
|
|
cb0e04 |
r->in.account_name);
|
|
|
cb0e04 |
if (encoded_name == NULL) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_MEMORY;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_MEMORY);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
len = strlen(encoded_name);
|
|
|
cb0e04 |
if (len < 2) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (require_trailer && encoded_name[len - 1] != trailer) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
encoded_name[len - 1] = '\0';
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -391,30 +396,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
"but there's no tdo for [%s] => [%s] \n",
|
|
|
cb0e04 |
log_escape(mem_ctx, r->in.account_name),
|
|
|
cb0e04 |
encoded_name));
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ nt_status);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
|
|
|
cb0e04 |
&curNtHash,
|
|
|
cb0e04 |
&prevNtHash);
|
|
|
cb0e04 |
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ nt_status);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL);
|
|
|
cb0e04 |
if (flatname == NULL) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname);
|
|
|
cb0e04 |
if (*trust_account_for_search == NULL) {
|
|
|
cb0e04 |
- return NT_STATUS_NO_MEMORY;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_MEMORY);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
*trust_account_for_search = r->in.account_name;
|
|
|
cb0e04 |
@@ -429,14 +446,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (num_records == 0) {
|
|
|
cb0e04 |
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
|
|
|
cb0e04 |
log_escape(mem_ctx, r->in.account_name)));
|
|
|
cb0e04 |
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (num_records > 1) {
|
|
|
cb0e04 |
DEBUG(0,("Found %d records matching user [%s]\n",
|
|
|
cb0e04 |
num_records,
|
|
|
cb0e04 |
log_escape(mem_ctx, r->in.account_name)));
|
|
|
cb0e04 |
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_INTERNAL_DB_CORRUPTION);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
|
|
|
cb0e04 |
@@ -445,9 +466,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (*trust_account_in_db == NULL) {
|
|
|
cb0e04 |
DEBUG(0,("No samAccountName returned in record matching user [%s]\n",
|
|
|
cb0e04 |
r->in.account_name));
|
|
|
cb0e04 |
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
|
|
|
cb0e04 |
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_INTERNAL_DB_CORRUPTION);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
+ dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NT_STATUS_OK);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (user_account_control & UF_ACCOUNTDISABLE) {
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 88c10a23f06376605a29fc9ddb7737868ffad916 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 13:13:36 +0100
|
|
|
cb0e04 |
Subject: [PATCH 19/30] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
|
|
|
cb0e04 |
reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4
|
|
|
cb0e04 |
crypto:COMPUTERACCOUNT = yes'
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This makes it more flexible when we change the global default to
|
|
|
cb0e04 |
'reject md5 servers = yes'.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
'allow nt4 crypto = no' is already the default.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++-
|
|
|
cb0e04 |
1 file changed, 55 insertions(+), 3 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index e39a530fd7f5..f303dc00ada2 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -130,12 +130,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
struct netr_ServerAuthenticate3 *r,
|
|
|
cb0e04 |
struct netlogon_server_pipe_state *pipe_state,
|
|
|
cb0e04 |
uint32_t negotiate_flags,
|
|
|
cb0e04 |
+ const char *trust_account_in_db,
|
|
|
cb0e04 |
NTSTATUS orig_status)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
|
|
|
cb0e04 |
- bool reject_des_client = !allow_nt4_crypto;
|
|
|
cb0e04 |
- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
|
|
|
cb0e04 |
+ bool account_allow_nt4_crypto = global_allow_nt4_crypto;
|
|
|
cb0e04 |
+ const char *explicit_nt4_opt = NULL;
|
|
|
cb0e04 |
+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
+ bool account_reject_md5_client = global_reject_md5_client;
|
|
|
cb0e04 |
+ const char *explicit_md5_opt = NULL;
|
|
|
cb0e04 |
+ bool reject_des_client;
|
|
|
cb0e04 |
+ bool allow_nt4_crypto;
|
|
|
cb0e04 |
+ bool reject_md5_client;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
+ * need the explicit_opt pointer in order to
|
|
|
cb0e04 |
+ * adjust the debug messages.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (trust_account_in_db != NULL) {
|
|
|
cb0e04 |
+ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
+ NULL,
|
|
|
cb0e04 |
+ "allow nt4 crypto",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (explicit_nt4_opt != NULL) {
|
|
|
cb0e04 |
+ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ allow_nt4_crypto = account_allow_nt4_crypto;
|
|
|
cb0e04 |
+ if (trust_account_in_db != NULL) {
|
|
|
cb0e04 |
+ explicit_md5_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
+ NULL,
|
|
|
cb0e04 |
+ "server reject md5 schannel",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (explicit_md5_opt != NULL) {
|
|
|
cb0e04 |
+ account_reject_md5_client = lp_bool(explicit_md5_opt);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ reject_md5_client = account_reject_md5_client;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ reject_des_client = !allow_nt4_crypto;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* If weak cryto is disabled, do not announce that we support RC4.
|
|
|
cb0e04 |
@@ -321,12 +357,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
case SEC_CHAN_NULL:
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_INVALID_PARAMETER);
|
|
|
cb0e04 |
default:
|
|
|
cb0e04 |
DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
|
|
|
cb0e04 |
r->in.secure_channel_type));
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_INVALID_PARAMETER);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -334,6 +372,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (sam_ctx == NULL) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_INVALID_SYSTEM_SERVICE);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -365,6 +404,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (encoded_name == NULL) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_MEMORY);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -372,12 +412,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (len < 2) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (require_trailer && encoded_name[len - 1] != trailer) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
encoded_name[len - 1] = '\0';
|
|
|
cb0e04 |
@@ -398,11 +440,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
encoded_name));
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
nt_status);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -412,11 +456,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
nt_status);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -424,6 +470,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (flatname == NULL) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -431,6 +478,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
if (*trust_account_for_search == NULL) {
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_MEMORY);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
@@ -448,6 +496,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
log_escape(mem_ctx, r->in.account_name)));
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -457,6 +506,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
log_escape(mem_ctx, r->in.account_name)));
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_INTERNAL_DB_CORRUPTION);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -468,11 +518,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
|
|
|
cb0e04 |
r->in.account_name));
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ NULL, /* trust_account_in_db */
|
|
|
cb0e04 |
NT_STATUS_INTERNAL_DB_CORRUPTION);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
dce_call, r, pipe_state, negotiate_flags,
|
|
|
cb0e04 |
+ *trust_account_in_db,
|
|
|
cb0e04 |
NT_STATUS_OK);
|
|
|
cb0e04 |
if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
return nt_status;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From b8f6e9fa3e218add0b2ca4fb14bcb9b5167ab8f5 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 13:31:14 +0100
|
|
|
cb0e04 |
Subject: [PATCH 20/30] CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4
|
|
|
cb0e04 |
crypto:COMPUTERACCOUNT = no"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++-
|
|
|
cb0e04 |
1 file changed, 74 insertions(+), 2 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
index 06afcef73b1b..bbd03a42db74 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
@@ -1,11 +1,18 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
context="G"
|
|
|
cb0e04 |
type="boolean"
|
|
|
cb0e04 |
+ deprecated="1"
|
|
|
cb0e04 |
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
<description>
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option is deprecated and will be removed in future,
|
|
|
cb0e04 |
+ as it is a security problem if not set to "no" (which will be
|
|
|
cb0e04 |
+ the hardcoded behavior in future).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
<para>This option controls whether the netlogon server (currently
|
|
|
cb0e04 |
only in 'active directory domain controller' mode), will
|
|
|
cb0e04 |
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
|
|
|
cb0e04 |
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
|
|
|
cb0e04 |
nor NETLOGON_NEG_SUPPORTS_AES.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option was added with Samba 4.2.0. It may lock out clients
|
|
|
cb0e04 |
@@ -18,8 +25,73 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option is over-ridden by the 'reject md5 clients' option.</para>
|
|
|
cb0e04 |
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
|
|
|
cb0e04 |
+ Which is available with the patches for
|
|
|
cb0e04 |
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
|
cb0e04 |
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log an error in the log files at log level 0
|
|
|
cb0e04 |
+ if legacy a client is rejected or allowed without an explicit,
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
|
|
|
cb0e04 |
+ for the client. The message will indicate
|
|
|
cb0e04 |
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
|
|
|
cb0e04 |
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This allows admins to use "yes" only for a short grace period,
|
|
|
cb0e04 |
+ in order to collect the explicit
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">no</value>
|
|
|
cb0e04 |
</samba:parameter>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ context="G"
|
|
|
cb0e04 |
+ type="string"
|
|
|
cb0e04 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
+<description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
|
|
|
cb0e04 |
+ it is possible to specify an explicit exception per computer account
|
|
|
cb0e04 |
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
|
|
|
cb0e04 |
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
|
cb0e04 |
+ the computer account (including the trailing '$' sign).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log a complaint in the log files at log level 0
|
|
|
cb0e04 |
+ about the security problem if the option is set to "yes",
|
|
|
cb0e04 |
+ but the related computer does not require it.
|
|
|
cb0e04 |
+ (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log a warning in the log files at log level 5,
|
|
|
cb0e04 |
+ if a setting is still needed for the specified computer account.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
|
|
|
cb0e04 |
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <programlisting>
|
|
|
cb0e04 |
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
|
|
|
cb0e04 |
+ allow nt4 crypto:NASBOX$ = yes
|
|
|
cb0e04 |
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
|
|
|
cb0e04 |
+ </programlisting>
|
|
|
cb0e04 |
+</description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+</samba:parameter>
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 16895f56b2f35dda0df54b1b416d7fac05965fcc Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 14:02:11 +0100
|
|
|
cb0e04 |
Subject: [PATCH 21/30] CVE-2022-38023 docs-xml/smbdotconf: document "server
|
|
|
cb0e04 |
reject md5 schannel:COMPUTERACCOUNT"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++-
|
|
|
cb0e04 |
.../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++-
|
|
|
cb0e04 |
2 files changed, 103 insertions(+), 6 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
index bbd03a42db74..ee63e6cc2453 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
|
|
|
cb0e04 |
@@ -45,7 +45,9 @@
|
|
|
cb0e04 |
in order to collect the explicit
|
|
|
cb0e04 |
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
|
cb0e04 |
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
|
|
|
cb0e04 |
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">no</value>
|
|
|
cb0e04 |
@@ -85,12 +87,19 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
|
cb0e04 |
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
|
|
|
cb0e04 |
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
|
|
|
cb0e04 |
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
|
|
|
cb0e04 |
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<programlisting>
|
|
|
cb0e04 |
allow nt4 crypto:LEGACYCOMPUTER1$ = yes
|
|
|
cb0e04 |
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
allow nt4 crypto:NASBOX$ = yes
|
|
|
cb0e04 |
+ server reject md5 schannel:NASBOX$ = no
|
|
|
cb0e04 |
allow nt4 crypto:LEGACYCOMPUTER2$ = yes
|
|
|
cb0e04 |
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
|
|
|
cb0e04 |
</programlisting>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
index edcbe02e99a3..fe7701d92772 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
|
|
|
cb0e04 |
@@ -1,8 +1,15 @@
|
|
|
cb0e04 |
|
|
|
cb0e04 |
context="G"
|
|
|
cb0e04 |
type="boolean"
|
|
|
cb0e04 |
+ deprecated="1"
|
|
|
cb0e04 |
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
<description>
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option is deprecated and will be removed in a future release,
|
|
|
cb0e04 |
+ as it is a security problem if not set to "yes" (which will be
|
|
|
cb0e04 |
+ the hardcoded behavior in the future).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
<para>This option controls whether the netlogon server (currently
|
|
|
cb0e04 |
only in 'active directory domain controller' mode), will
|
|
|
cb0e04 |
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
|
|
|
cb0e04 |
@@ -10,13 +17,94 @@
|
|
|
cb0e04 |
<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
|
|
|
cb0e04 |
starting with Server 2008R2 and Windows 7, it's available in Samba
|
|
|
cb0e04 |
starting with 4.0, however third party domain members like NetApp ONTAP
|
|
|
cb0e04 |
- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
|
|
|
cb0e04 |
+ still uses RC4 (HMAC-MD5), see
|
|
|
cb0e04 |
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
|
|
|
cb0e04 |
+ for more details.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>The default changed from 'no' to 'yes', with the patches for
|
|
|
cb0e04 |
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
|
cb0e04 |
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
|
|
|
cb0e04 |
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
|
|
|
cb0e04 |
+ Which is available with the patches for
|
|
|
cb0e04 |
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
|
cb0e04 |
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
|
|
|
cb0e04 |
- see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log an error in the log files at log level 0
|
|
|
cb0e04 |
+ if legacy a client is rejected or allowed without an explicit,
|
|
|
cb0e04 |
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
|
|
|
cb0e04 |
+ for the client. The message will indicate
|
|
|
cb0e04 |
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
|
|
|
cb0e04 |
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>This option overrides the 'allow nt4 crypto' option.</para>
|
|
|
cb0e04 |
+ <para>This allows admins to use "no" only for a short grace period,
|
|
|
cb0e04 |
+ in order to collect the explicit
|
|
|
cb0e04 |
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>When set to 'yes' this option overrides the
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">yes</value>
|
|
|
cb0e04 |
</samba:parameter>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ context="G"
|
|
|
cb0e04 |
+ type="string"
|
|
|
cb0e04 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
+<description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>If you still have legacy domain members or trusted domains,
|
|
|
cb0e04 |
+ which required "reject md5 clients = no" before,
|
|
|
cb0e04 |
+ it is possible to specify an explicit exception per computer account
|
|
|
cb0e04 |
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
|
|
|
cb0e04 |
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
|
cb0e04 |
+ the computer account (including the trailing '$' sign).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log a complaint in the log files at log level 0
|
|
|
cb0e04 |
+ about the security problem if the option is set to "no",
|
|
|
cb0e04 |
+ but the related computer does not require it.
|
|
|
cb0e04 |
+ (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log a warning in the log files at log level 5
|
|
|
cb0e04 |
+ if a setting is still needed for the specified computer account.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
|
|
|
cb0e04 |
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>When set to 'yes' this option overrides the
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
|
|
|
cb0e04 |
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <programlisting>
|
|
|
cb0e04 |
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:NASBOX$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
|
|
|
cb0e04 |
+ </programlisting>
|
|
|
cb0e04 |
+</description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+</samba:parameter>
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 71283bb55feb027a94c3795bd1b94217be93c1a6 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 13:13:36 +0100
|
|
|
cb0e04 |
Subject: [PATCH 22/30] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
|
|
|
cb0e04 |
md5 servers' and 'allow nt4 crypto' misconfigurations
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This allows the admin to notice what's wrong in order to adjust the
|
|
|
cb0e04 |
configuration if required.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 143 ++++++++++++++++++
|
|
|
cb0e04 |
1 file changed, 143 insertions(+)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index f303dc00ada2..5f2f765abe5b 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -64,10 +64,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
|
|
cb0e04 |
const struct dcesrv_interface *iface)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
|
|
|
cb0e04 |
+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
+ static bool warned_global_nt4_once = false;
|
|
|
cb0e04 |
+ static bool warned_global_md5_once = false;
|
|
|
cb0e04 |
static bool warned_global_schannel_once = false;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ if (global_allow_nt4_crypto && !warned_global_nt4_once) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ D_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'allow nt4 crypto = no' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_nt4_once = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!global_reject_md5_client && !warned_global_md5_once) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ D_ERR("CVE-2022-38023: "
|
|
|
cb0e04 |
+ "Please configure 'reject md5 clients = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_md5_once = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (!schannel_global_required && !warned_global_schannel_once) {
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
@@ -143,6 +167,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
bool reject_des_client;
|
|
|
cb0e04 |
bool allow_nt4_crypto;
|
|
|
cb0e04 |
bool reject_md5_client;
|
|
|
cb0e04 |
+ bool need_des = true;
|
|
|
cb0e04 |
+ bool need_md5 = true;
|
|
|
cb0e04 |
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
@@ -183,19 +213,84 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
|
|
|
cb0e04 |
+ need_des = false;
|
|
|
cb0e04 |
reject_des_client = false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
|
|
|
cb0e04 |
+ need_des = false;
|
|
|
cb0e04 |
+ need_md5 = false;
|
|
|
cb0e04 |
reject_des_client = false;
|
|
|
cb0e04 |
reject_md5_client = false;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (reject_des_client || reject_md5_client) {
|
|
|
cb0e04 |
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
|
|
|
cb0e04 |
+ if (CVE_2022_38023_error_level < DBGLVL_NOTICE) {
|
|
|
cb0e04 |
+ CVE_2022_38023_error_level = DBGLVL_NOTICE;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: "
|
|
|
cb0e04 |
+ "client_account[%s] computer_name[%s] "
|
|
|
cb0e04 |
+ "schannel_type[%u] "
|
|
|
cb0e04 |
+ "client_negotiate_flags[0x%x] "
|
|
|
cb0e04 |
+ "%s%s%s "
|
|
|
cb0e04 |
+ "NT_STATUS_DOWNGRADE_DETECTED "
|
|
|
cb0e04 |
+ "WEAK_CRYPTO_DISALLOWED\n",
|
|
|
cb0e04 |
+ log_escape(frame, r->in.account_name),
|
|
|
cb0e04 |
+ log_escape(frame, r->in.computer_name),
|
|
|
cb0e04 |
+ r->in.secure_channel_type,
|
|
|
cb0e04 |
+ (unsigned)*r->in.negotiate_flags,
|
|
|
cb0e04 |
+ trust_account_in_db ? "real_account[" : "",
|
|
|
cb0e04 |
+ trust_account_in_db ? trust_account_in_db : "",
|
|
|
cb0e04 |
+ trust_account_in_db ? "]" : ""));
|
|
|
cb0e04 |
+ goto return_downgrade;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: "
|
|
|
cb0e04 |
+ "client_account[%s] computer_name[%s] "
|
|
|
cb0e04 |
+ "schannel_type[%u] "
|
|
|
cb0e04 |
+ "client_negotiate_flags[0x%x] "
|
|
|
cb0e04 |
+ "%s%s%s "
|
|
|
cb0e04 |
+ "NT_STATUS_DOWNGRADE_DETECTED "
|
|
|
cb0e04 |
+ "reject_des[%u] reject_md5[%u]\n",
|
|
|
cb0e04 |
+ log_escape(frame, r->in.account_name),
|
|
|
cb0e04 |
+ log_escape(frame, r->in.computer_name),
|
|
|
cb0e04 |
+ r->in.secure_channel_type,
|
|
|
cb0e04 |
+ (unsigned)*r->in.negotiate_flags,
|
|
|
cb0e04 |
+ trust_account_in_db ? "real_account[" : "",
|
|
|
cb0e04 |
+ trust_account_in_db ? trust_account_in_db : "",
|
|
|
cb0e04 |
+ trust_account_in_db ? "]" : "",
|
|
|
cb0e04 |
+ reject_des_client,
|
|
|
cb0e04 |
+ reject_md5_client));
|
|
|
cb0e04 |
+ if (trust_account_in_db == NULL) {
|
|
|
cb0e04 |
+ goto return_downgrade;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (reject_md5_client && explicit_md5_opt == NULL) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (reject_des_client && explicit_nt4_opt == NULL) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:%s = yes' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+return_downgrade:
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* Here we match Windows 2012 and return no flags.
|
|
|
cb0e04 |
*/
|
|
|
cb0e04 |
*r->out.negotiate_flags = 0;
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_DOWNGRADE_DETECTED;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -228,6 +323,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
|
|
|
cb0e04 |
*/
|
|
|
cb0e04 |
*r->out.negotiate_flags = negotiate_flags;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) {
|
|
|
cb0e04 |
+ return orig_status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:%s = yes' not needed!?\n",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:%s = no' "
|
|
|
cb0e04 |
+ "still needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ } else if (need_md5 && explicit_md5_opt == NULL) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ } else if (!account_reject_md5_client && explicit_md5_opt) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:%s = no' not needed!?\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:%s = no' not needed!?\n",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:%s = yes' "
|
|
|
cb0e04 |
+ "still needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db);
|
|
|
cb0e04 |
+ } else if (need_des && explicit_nt4_opt == NULL) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:%s = yes' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ } else if (account_allow_nt4_crypto && explicit_nt4_opt) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:%s = yes' not needed!?\n",
|
|
|
cb0e04 |
+ trust_account_in_db));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
return orig_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From ab3062a57e170f90bca2d88771559d7c5ea38837 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 14:57:20 +0100
|
|
|
cb0e04 |
Subject: [PATCH 23/30] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4
|
|
|
cb0e04 |
crypto = yes' and 'reject md5 clients = no'
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Instead of using the generic deprecated option use the specific
|
|
|
cb0e04 |
allow nt4 crypto:COMPUTERACCOUNT = yes and
|
|
|
cb0e04 |
server reject md5 schannel:COMPUTERACCOUNT = no
|
|
|
cb0e04 |
in order to allow legacy tests for pass.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++-----
|
|
|
cb0e04 |
1 file changed, 53 insertions(+), 7 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
index fb63bbeff059..b61acbf8e57b 100755
|
|
|
cb0e04 |
--- a/selftest/target/Samba4.pm
|
|
|
cb0e04 |
+++ b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
@@ -1608,7 +1608,6 @@ sub provision_ad_dc_ntvfs($$$)
|
|
|
cb0e04 |
my $extra_conf_options = "netbios aliases = localDC1-a
|
|
|
cb0e04 |
server services = +winbind -winbindd
|
|
|
cb0e04 |
ldap server require strong auth = allow_sasl_over_tls
|
|
|
cb0e04 |
- allow nt4 crypto = yes
|
|
|
cb0e04 |
raw NTLMv2 auth = yes
|
|
|
cb0e04 |
lsa over netlogon = yes
|
|
|
cb0e04 |
rpc server port = 1027
|
|
|
cb0e04 |
@@ -1620,9 +1619,19 @@ sub provision_ad_dc_ntvfs($$$)
|
|
|
cb0e04 |
client min protocol = CORE
|
|
|
cb0e04 |
server min protocol = LANMAN1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- reject md5 clients = no
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ allow nt4 crypto:torturetest\$ = yes
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel2\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel3\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel8\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel9\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturetest\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
|
cb0e04 |
server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
server require schannel:schannel2\$ = no
|
|
|
cb0e04 |
@@ -1677,6 +1686,13 @@ sub provision_fl2000dc($$)
|
|
|
cb0e04 |
kdc enable fast = no
|
|
|
cb0e04 |
spnego:simulate_w2k=yes
|
|
|
cb0e04 |
ntlmssp_server:force_old_spnego=yes
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
|
cb0e04 |
# This environment uses plain text secrets
|
|
|
cb0e04 |
@@ -1717,11 +1733,23 @@ sub provision_fl2003dc($$$)
|
|
|
cb0e04 |
my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
|
|
|
cb0e04 |
- my $extra_conf_options = "allow dns updates = nonsecure and secure
|
|
|
cb0e04 |
+ my $extra_conf_options = "
|
|
|
cb0e04 |
+ allow dns updates = nonsecure and secure
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
kdc enable fast = no
|
|
|
cb0e04 |
dcesrv:header signing = no
|
|
|
cb0e04 |
dcesrv:max auth states = 0
|
|
|
cb0e04 |
- dns forwarder = $ip_addr1 [$ip_addr2]:54";
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ dns forwarder = $ip_addr1 [$ip_addr2]:54
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
|
cb0e04 |
+";
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
|
cb0e04 |
my $ret = $self->provision($prefix,
|
|
|
cb0e04 |
"domain controller",
|
|
|
cb0e04 |
@@ -1776,6 +1804,13 @@ sub provision_fl2008r2dc($$$)
|
|
|
cb0e04 |
ldap server require strong auth = no
|
|
|
cb0e04 |
# delay by 10 seconds, 10^7 usecs
|
|
|
cb0e04 |
ldap_server:delay_expire_disconnect = 10000
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
|
cb0e04 |
my $ret = $self->provision($prefix,
|
|
|
cb0e04 |
@@ -1987,9 +2022,20 @@ sub provision_ad_dc($$$$$$$)
|
|
|
cb0e04 |
lpq cache time = 0
|
|
|
cb0e04 |
print notify backchannel = yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- reject md5 clients = no
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
|
cb0e04 |
+ CVE_2022_38023:error_debug_level = 2
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel2\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel3\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel8\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:schannel9\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturetest\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
|
cb0e04 |
+ server reject md5 schannel:samlogontest\$ = no
|
|
|
cb0e04 |
server require schannel:schannel0\$ = no
|
|
|
cb0e04 |
server require schannel:schannel1\$ = no
|
|
|
cb0e04 |
server require schannel:schannel2\$ = no
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 8ab5154b071bc02c540da963cf1c7e15cbf6c63b Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 16:57:24 +0100
|
|
|
cb0e04 |
Subject: [PATCH 24/30] CVE-2022-38023 s4:rpc_server/netlogon: split out
|
|
|
cb0e04 |
dcesrv_netr_check_schannel() function
|
|
|
cb0e04 |
|
|
|
cb0e04 |
This will allow us to reuse the function in other places.
|
|
|
cb0e04 |
As it will also get some additional checks soon.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++--------
|
|
|
cb0e04 |
1 file changed, 51 insertions(+), 33 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 5f2f765abe5b..8e952ec2e0c7 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -877,18 +877,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3;;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-/*
|
|
|
cb0e04 |
- * NOTE: The following functions are nearly identical to the ones available in
|
|
|
cb0e04 |
- * source3/rpc_server/srv_nelog_nt.c
|
|
|
cb0e04 |
- * The reason we keep 2 copies is that they use different structures to
|
|
|
cb0e04 |
- * represent the auth_info and the decrpc pipes.
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
- TALLOC_CTX *mem_ctx,
|
|
|
cb0e04 |
- const char *computer_name,
|
|
|
cb0e04 |
- struct netr_Authenticator *received_authenticator,
|
|
|
cb0e04 |
- struct netr_Authenticator *return_authenticator,
|
|
|
cb0e04 |
- struct netlogon_creds_CredentialState **creds_out)
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ const struct netlogon_creds_CredentialState *creds,
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type,
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level,
|
|
|
cb0e04 |
+ uint16_t opnum)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
@@ -897,15 +890,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
bool schannel_required = schannel_global_required;
|
|
|
cb0e04 |
const char *explicit_opt = NULL;
|
|
|
cb0e04 |
- struct netlogon_creds_CredentialState *creds = NULL;
|
|
|
cb0e04 |
int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
unsigned int dbg_lvl = DBGLVL_DEBUG;
|
|
|
cb0e04 |
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
|
cb0e04 |
- uint16_t opnum = dce_call->pkt.u.request.opnum;
|
|
|
cb0e04 |
const char *opname = "<unknown>";
|
|
|
cb0e04 |
const char *reason = "<unknown>";
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -913,8 +902,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
opname = ndr_table_netlogon.calls[opnum].name;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
|
|
cb0e04 |
reason = "WITH SEALED";
|
|
|
cb0e04 |
@@ -927,17 +914,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
reason = "WITHOUT";
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- nt_status = schannel_check_creds_state(mem_ctx,
|
|
|
cb0e04 |
- lp_ctx,
|
|
|
cb0e04 |
- computer_name,
|
|
|
cb0e04 |
- received_authenticator,
|
|
|
cb0e04 |
- return_authenticator,
|
|
|
cb0e04 |
- &creds);
|
|
|
cb0e04 |
- if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
- ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
* need the explicit_opt pointer in order to
|
|
|
cb0e04 |
@@ -977,7 +953,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- *creds_out = creds;
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -1011,8 +986,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
"might be needed for a legacy client.\n",
|
|
|
cb0e04 |
log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
- TALLOC_FREE(creds);
|
|
|
cb0e04 |
- ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -1056,11 +1029,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- *creds_out = creds;
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+/*
|
|
|
cb0e04 |
+ * NOTE: The following functions are nearly identical to the ones available in
|
|
|
cb0e04 |
+ * source3/rpc_server/srv_nelog_nt.c
|
|
|
cb0e04 |
+ * The reason we keep 2 copies is that they use different structures to
|
|
|
cb0e04 |
+ * represent the auth_info and the decrpc pipes.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ TALLOC_CTX *mem_ctx,
|
|
|
cb0e04 |
+ const char *computer_name,
|
|
|
cb0e04 |
+ struct netr_Authenticator *received_authenticator,
|
|
|
cb0e04 |
+ struct netr_Authenticator *return_authenticator,
|
|
|
cb0e04 |
+ struct netlogon_creds_CredentialState **creds_out)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ NTSTATUS nt_status;
|
|
|
cb0e04 |
+ struct netlogon_creds_CredentialState *creds = NULL;
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ nt_status = schannel_check_creds_state(mem_ctx,
|
|
|
cb0e04 |
+ dce_call->conn->dce_ctx->lp_ctx,
|
|
|
cb0e04 |
+ computer_name,
|
|
|
cb0e04 |
+ received_authenticator,
|
|
|
cb0e04 |
+ return_authenticator,
|
|
|
cb0e04 |
+ &creds);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
+ ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ nt_status = dcesrv_netr_check_schannel(dce_call,
|
|
|
cb0e04 |
+ creds,
|
|
|
cb0e04 |
+ auth_type,
|
|
|
cb0e04 |
+ auth_level,
|
|
|
cb0e04 |
+ dce_call->pkt.u.request.opnum);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
+ TALLOC_FREE(creds);
|
|
|
cb0e04 |
+ ZERO_STRUCTP(return_authenticator);
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ *creds_out = creds;
|
|
|
cb0e04 |
+ return NT_STATUS_OK;
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
Change the machine account password for the currently connected
|
|
|
cb0e04 |
client. Supplies only the NT#.
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 875734d5294ff48950a24d6a89be52c916307bc2 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 17:15:36 +0100
|
|
|
cb0e04 |
Subject: [PATCH 25/30] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
|
|
|
cb0e04 |
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
|
|
|
cb0e04 |
which are also required for dcesrv_netr_LogonSamLogonEx().
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++----
|
|
|
cb0e04 |
1 file changed, 29 insertions(+), 7 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 8e952ec2e0c7..d5bca620b0d4 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -1441,6 +1441,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
|
|
|
cb0e04 |
struct auth_usersupplied_info *user_info = NULL;
|
|
|
cb0e04 |
NTSTATUS nt_status;
|
|
|
cb0e04 |
struct tevent_req *subreq = NULL;
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ switch (dce_call->pkt.u.request.opnum) {
|
|
|
cb0e04 |
+ case NDR_NETR_LOGONSAMLOGON:
|
|
|
cb0e04 |
+ case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * These already called dcesrv_netr_check_schannel()
|
|
|
cb0e04 |
+ * via dcesrv_netr_creds_server_step_check()
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ break;
|
|
|
cb0e04 |
+ case NDR_NETR_LOGONSAMLOGONEX:
|
|
|
cb0e04 |
+ default:
|
|
|
cb0e04 |
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ nt_status = dcesrv_netr_check_schannel(dce_call,
|
|
|
cb0e04 |
+ creds,
|
|
|
cb0e04 |
+ auth_type,
|
|
|
cb0e04 |
+ auth_level,
|
|
|
cb0e04 |
+ dce_call->pkt.u.request.opnum);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(nt_status)) {
|
|
|
cb0e04 |
+ return nt_status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ break;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
*r->out.authoritative = 1;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -1789,7 +1818,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
|
|
|
cb0e04 |
static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
|
|
|
cb0e04 |
struct netr_LogonSamLogonEx *r)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
|
cb0e04 |
struct dcesrv_netr_LogonSamLogon_base_state *state;
|
|
|
cb0e04 |
NTSTATUS nt_status;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -1827,12 +1855,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
return nt_status;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- return NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
- }
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 9c294a19374d15f04649c62f4e5f8df6a59610a5 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 16:53:35 +0100
|
|
|
cb0e04 |
Subject: [PATCH 26/30] CVE-2022-38023 docs-xml/smbdotconf: add "server
|
|
|
cb0e04 |
schannel require seal[:COMPUTERACCOUNT]" options
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
.../smbdotconf/security/serverschannel.xml | 43 ++++++-
|
|
|
cb0e04 |
.../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++
|
|
|
cb0e04 |
lib/param/loadparm.c | 1 +
|
|
|
cb0e04 |
source3/param/loadparm.c | 1 +
|
|
|
cb0e04 |
4 files changed, 157 insertions(+), 6 deletions(-)
|
|
|
cb0e04 |
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
index 3e66df1c2032..42a657912cac 100644
|
|
|
cb0e04 |
--- a/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
|
|
|
cb0e04 |
@@ -12,19 +12,37 @@
|
|
|
cb0e04 |
the hardcoded behavior in future).
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>
|
|
|
cb0e04 |
- Samba will complain in the log files at log level 0,
|
|
|
cb0e04 |
- about the security problem if the option is not set to "yes".
|
|
|
cb0e04 |
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log an error in the log files at log level 0
|
|
|
cb0e04 |
+ if legacy a client is rejected or allowed without an explicit,
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
|
|
|
cb0e04 |
+ for the client. The message will indicate
|
|
|
cb0e04 |
+ the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
|
|
|
cb0e04 |
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
<para>
|
|
|
cb0e04 |
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
|
cb0e04 |
+ This allows admins to use "auto" only for a short grace period,
|
|
|
cb0e04 |
+ in order to collect the explicit
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
|
|
|
cb0e04 |
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
|
cb0e04 |
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
|
|
|
cb0e04 |
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<value type="default">yes</value>
|
|
|
cb0e04 |
@@ -48,6 +66,9 @@
|
|
|
cb0e04 |
about the security problem if the option is not set to "no",
|
|
|
cb0e04 |
but the related computer is actually using the netlogon
|
|
|
cb0e04 |
secure channel (schannel) feature.
|
|
|
cb0e04 |
+ (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>
|
|
|
cb0e04 |
@@ -56,15 +77,25 @@
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>
|
|
|
cb0e04 |
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
|
|
|
cb0e04 |
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
|
|
|
cb0e04 |
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
|
|
|
cb0e04 |
</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
<para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ <para>This option is over-ridden by the effective value of 'yes' from
|
|
|
cb0e04 |
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
|
|
|
cb0e04 |
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
|
|
|
cb0e04 |
+ <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
|
|
|
cb0e04 |
+ is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
<programlisting>
|
|
|
cb0e04 |
server require schannel:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
+ server require schannel seal:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
server require schannel:NASBOX$ = no
|
|
|
cb0e04 |
+ server require schannel seal:NASBOX$ = no
|
|
|
cb0e04 |
server require schannel:LEGACYCOMPUTER2$ = no
|
|
|
cb0e04 |
+ server require schannel seal:LEGACYCOMPUTER2$ = no
|
|
|
cb0e04 |
</programlisting>
|
|
|
cb0e04 |
</description>
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
|
cb0e04 |
new file mode 100644
|
|
|
cb0e04 |
index 000000000000..d4620d1252dd
|
|
|
cb0e04 |
--- /dev/null
|
|
|
cb0e04 |
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
|
|
|
cb0e04 |
@@ -0,0 +1,118 @@
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ context="G"
|
|
|
cb0e04 |
+ type="boolean"
|
|
|
cb0e04 |
+ deprecated="1"
|
|
|
cb0e04 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
+<description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option is deprecated and will be removed in future,
|
|
|
cb0e04 |
+ as it is a security problem if not set to "yes" (which will be
|
|
|
cb0e04 |
+ the hardcoded behavior in future).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option controls whether the netlogon server (currently
|
|
|
cb0e04 |
+ only in 'active directory domain controller' mode), will
|
|
|
cb0e04 |
+ reject the usage of netlogon secure channel without privacy/enryption.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ The option is modelled after the registry key available on Windows.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <programlisting>
|
|
|
cb0e04 |
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
|
|
|
cb0e04 |
+ </programlisting>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
|
|
|
cb0e04 |
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
|
|
|
cb0e04 |
+ Which is available with the patches for
|
|
|
cb0e04 |
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
|
|
|
cb0e04 |
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log an error in the log files at log level 0
|
|
|
cb0e04 |
+ if legacy a client is rejected or allowed without an explicit,
|
|
|
cb0e04 |
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
|
|
|
cb0e04 |
+ for the client. The message will indicate
|
|
|
cb0e04 |
+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
|
|
|
cb0e04 |
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>This allows admins to use "no" only for a short grace period,
|
|
|
cb0e04 |
+ in order to collect the explicit
|
|
|
cb0e04 |
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ When set to 'yes' this option overrides the
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
|
|
|
cb0e04 |
+ '<smbconfoption name="server schannel"/>' options and implies
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+</description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+<value type="default">yes</value>
|
|
|
cb0e04 |
+</samba:parameter>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ context="G"
|
|
|
cb0e04 |
+ type="string"
|
|
|
cb0e04 |
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
|
|
cb0e04 |
+<description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
|
|
|
cb0e04 |
+ it is possible to specify explicit exception per computer account
|
|
|
cb0e04 |
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
|
|
|
cb0e04 |
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
|
|
|
cb0e04 |
+ the computer account (including the trailing '$' sign).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will log a complaint in the log files at log level 0
|
|
|
cb0e04 |
+ about the security problem if the option is set to "no",
|
|
|
cb0e04 |
+ but the related computer does not require it.
|
|
|
cb0e04 |
+ (The log level can be adjusted with
|
|
|
cb0e04 |
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
|
|
|
cb0e04 |
+ in order to complain only at a higher log level).
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ Samba will warn in the log files at log level 5,
|
|
|
cb0e04 |
+ if a setting is still needed for the specified computer account.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
|
|
|
cb0e04 |
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <para>
|
|
|
cb0e04 |
+ When set to 'yes' this option overrides the
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
|
|
|
cb0e04 |
+ '<smbconfoption name="server schannel"/>' options and implies
|
|
|
cb0e04 |
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
|
|
|
cb0e04 |
+ </para>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ <programlisting>
|
|
|
cb0e04 |
+ server require schannel seal:LEGACYCOMPUTER1$ = no
|
|
|
cb0e04 |
+ server require schannel seal:NASBOX$ = no
|
|
|
cb0e04 |
+ server require schannel seal:LEGACYCOMPUTER2$ = no
|
|
|
cb0e04 |
+ </programlisting>
|
|
|
cb0e04 |
+</description>
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+</samba:parameter>
|
|
|
cb0e04 |
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
|
|
cb0e04 |
index 2b644ee97c02..2b1eec5c4a12 100644
|
|
|
cb0e04 |
--- a/lib/param/loadparm.c
|
|
|
cb0e04 |
+++ b/lib/param/loadparm.c
|
|
|
cb0e04 |
@@ -2725,6 +2725,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
|
|
|
cb0e04 |
+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
|
|
|
cb0e04 |
|
|
|
cb0e04 |
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
|
|
|
cb0e04 |
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
|
|
cb0e04 |
index 28ce4de6dd67..443b63a1cf46 100644
|
|
|
cb0e04 |
--- a/source3/param/loadparm.c
|
|
|
cb0e04 |
+++ b/source3/param/loadparm.c
|
|
|
cb0e04 |
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
|
|
cb0e04 |
Globals.require_strong_key = true;
|
|
|
cb0e04 |
Globals.reject_md5_servers = true;
|
|
|
cb0e04 |
Globals.server_schannel = true;
|
|
|
cb0e04 |
+ Globals.server_schannel_require_seal = true;
|
|
|
cb0e04 |
Globals.reject_md5_clients = true;
|
|
|
cb0e04 |
Globals.read_raw = true;
|
|
|
cb0e04 |
Globals.write_raw = true;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 422a2c9adcc39edb4a9ea3da435a7b53822f6ccc Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 2 Dec 2022 14:31:26 +0100
|
|
|
cb0e04 |
Subject: [PATCH 27/30] CVE-2022-38023 s4:rpc_server/netlogon: add a per
|
|
|
cb0e04 |
connection cache to dcesrv_netr_check_schannel()
|
|
|
cb0e04 |
|
|
|
cb0e04 |
It's enough to warn the admin once per connection.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++----
|
|
|
cb0e04 |
1 file changed, 153 insertions(+), 40 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index d5bca620b0d4..624c8d407242 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -877,23 +877,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3;;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
- const struct netlogon_creds_CredentialState *creds,
|
|
|
cb0e04 |
- enum dcerpc_AuthType auth_type,
|
|
|
cb0e04 |
- enum dcerpc_AuthLevel auth_level,
|
|
|
cb0e04 |
- uint16_t opnum)
|
|
|
cb0e04 |
+struct dcesrv_netr_check_schannel_state {
|
|
|
cb0e04 |
+ struct dom_sid account_sid;
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type;
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ bool schannel_global_required;
|
|
|
cb0e04 |
+ bool schannel_required;
|
|
|
cb0e04 |
+ bool schannel_explicitly_set;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ NTSTATUS result;
|
|
|
cb0e04 |
+};
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ const struct netlogon_creds_CredentialState *creds,
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type,
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level,
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state **_s)
|
|
|
cb0e04 |
{
|
|
|
cb0e04 |
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
- TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
- NTSTATUS nt_status;
|
|
|
cb0e04 |
int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
bool schannel_required = schannel_global_required;
|
|
|
cb0e04 |
const char *explicit_opt = NULL;
|
|
|
cb0e04 |
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state *s = NULL;
|
|
|
cb0e04 |
+ NTSTATUS status;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ *_s = NULL;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ s = dcesrv_iface_state_find_conn(dce_call,
|
|
|
cb0e04 |
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state);
|
|
|
cb0e04 |
+ if (s != NULL) {
|
|
|
cb0e04 |
+ if (!dom_sid_equal(&s->account_sid, creds->sid)) {
|
|
|
cb0e04 |
+ goto new_state;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (s->auth_type != auth_type) {
|
|
|
cb0e04 |
+ goto new_state;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (s->auth_level != auth_level) {
|
|
|
cb0e04 |
+ goto new_state;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ *_s = s;
|
|
|
cb0e04 |
+ return NT_STATUS_OK;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+new_state:
|
|
|
cb0e04 |
+ TALLOC_FREE(s);
|
|
|
cb0e04 |
+ s = talloc_zero(dce_call,
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state);
|
|
|
cb0e04 |
+ if (s == NULL) {
|
|
|
cb0e04 |
+ return NT_STATUS_NO_MEMORY;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ s->account_sid = *creds->sid;
|
|
|
cb0e04 |
+ s->auth_type = auth_type;
|
|
|
cb0e04 |
+ s->auth_level = auth_level;
|
|
|
cb0e04 |
+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
+ * need the explicit_opt pointer in order to
|
|
|
cb0e04 |
+ * adjust the debug messages.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
+ NULL,
|
|
|
cb0e04 |
+ "server require schannel",
|
|
|
cb0e04 |
+ creds->account_name);
|
|
|
cb0e04 |
+ if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ schannel_required = lp_bool(explicit_opt);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ s->schannel_global_required = schannel_global_required;
|
|
|
cb0e04 |
+ s->schannel_required = schannel_required;
|
|
|
cb0e04 |
+ s->schannel_explicitly_set = explicit_opt != NULL;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ status = dcesrv_iface_state_store_conn(dce_call,
|
|
|
cb0e04 |
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
|
|
|
cb0e04 |
+ s);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
+ return status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ *_s = s;
|
|
|
cb0e04 |
+ return NT_STATUS_OK;
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state *s,
|
|
|
cb0e04 |
+ const struct netlogon_creds_CredentialState *creds,
|
|
|
cb0e04 |
+ uint16_t opnum)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
|
|
|
cb0e04 |
int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
unsigned int dbg_lvl = DBGLVL_DEBUG;
|
|
|
cb0e04 |
const char *opname = "<unknown>";
|
|
|
cb0e04 |
const char *reason = "<unknown>";
|
|
|
cb0e04 |
@@ -902,37 +984,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
opname = ndr_table_netlogon.calls[opnum].name;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
|
|
cb0e04 |
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
|
|
|
cb0e04 |
reason = "WITH SEALED";
|
|
|
cb0e04 |
- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
|
|
|
cb0e04 |
+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
|
|
|
cb0e04 |
reason = "WITH SIGNED";
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
- smb_panic("Schannel without SIGN/SEAL");
|
|
|
cb0e04 |
+ reason = "WITH INVALID";
|
|
|
cb0e04 |
+ dbg_lvl = DBGLVL_ERR;
|
|
|
cb0e04 |
+ s->result = NT_STATUS_INTERNAL_ERROR;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
reason = "WITHOUT";
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- /*
|
|
|
cb0e04 |
- * We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
- * need the explicit_opt pointer in order to
|
|
|
cb0e04 |
- * adjust the debug messages.
|
|
|
cb0e04 |
- */
|
|
|
cb0e04 |
- explicit_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
- NULL,
|
|
|
cb0e04 |
- "server require schannel",
|
|
|
cb0e04 |
- creds->account_name);
|
|
|
cb0e04 |
- if (explicit_opt != NULL) {
|
|
|
cb0e04 |
- schannel_required = lp_bool(explicit_opt);
|
|
|
cb0e04 |
+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(s->result)) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
- nt_status = NT_STATUS_OK;
|
|
|
cb0e04 |
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ s->result = NT_STATUS_OK;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (explicit_opt != NULL && !schannel_required) {
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
|
|
|
cb0e04 |
- } else if (!schannel_required) {
|
|
|
cb0e04 |
+ } else if (!s->schannel_required) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -943,9 +1031,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
opname, opnum, reason,
|
|
|
cb0e04 |
log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
- nt_errstr(nt_status)));
|
|
|
cb0e04 |
-
|
|
|
cb0e04 |
- if (explicit_opt != NULL && !schannel_required) {
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
DEBUG(CVE_2020_1472_warn_level, (
|
|
|
cb0e04 |
"CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
"Option 'server require schannel:%s = no' not needed for '%s'!\n",
|
|
|
cb0e04 |
@@ -954,13 +1041,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (schannel_required) {
|
|
|
cb0e04 |
- nt_status = NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+ if (s->schannel_required) {
|
|
|
cb0e04 |
+ s->result = NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
@@ -973,8 +1060,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
opname, opnum, reason,
|
|
|
cb0e04 |
log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
- nt_errstr(nt_status)));
|
|
|
cb0e04 |
- if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
"'server require schannel:%s = yes' "
|
|
|
cb0e04 |
"rejects access for client.\n",
|
|
|
cb0e04 |
@@ -987,12 +1074,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
- return nt_status;
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- nt_status = NT_STATUS_OK;
|
|
|
cb0e04 |
+ s->result = NT_STATUS_OK;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
@@ -1005,9 +1092,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
opname, opnum, reason,
|
|
|
cb0e04 |
log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
- nt_errstr(nt_status)));
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (explicit_opt != NULL) {
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
D_INFO("CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
"'server require schannel:%s = no' "
|
|
|
cb0e04 |
"still needed for '%s'!\n",
|
|
|
cb0e04 |
@@ -1030,6 +1117,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
+}
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
|
|
|
cb0e04 |
+ const struct netlogon_creds_CredentialState *creds,
|
|
|
cb0e04 |
+ enum dcerpc_AuthType auth_type,
|
|
|
cb0e04 |
+ enum dcerpc_AuthLevel auth_level,
|
|
|
cb0e04 |
+ uint16_t opnum)
|
|
|
cb0e04 |
+{
|
|
|
cb0e04 |
+ struct dcesrv_netr_check_schannel_state *s = NULL;
|
|
|
cb0e04 |
+ NTSTATUS status;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ status = dcesrv_netr_check_schannel_get_state(dce_call,
|
|
|
cb0e04 |
+ creds,
|
|
|
cb0e04 |
+ auth_type,
|
|
|
cb0e04 |
+ auth_level,
|
|
|
cb0e04 |
+ &s);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
+ return status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum);
|
|
|
cb0e04 |
+ if (!NT_STATUS_IS_OK(status)) {
|
|
|
cb0e04 |
+ return status;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
return NT_STATUS_OK;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 78d79aade1f07776266e22829a53a594bb2968b8 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Fri, 25 Nov 2022 14:05:30 +0100
|
|
|
cb0e04 |
Subject: [PATCH 28/30] CVE-2022-38023 s4:rpc_server/netlogon: implement
|
|
|
cb0e04 |
"server schannel require seal[:COMPUTERACCOUNT]"
|
|
|
cb0e04 |
|
|
|
cb0e04 |
By default we'll now require schannel connections with
|
|
|
cb0e04 |
privacy/sealing/encryption.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
But we allow exceptions for specific computer/trust accounts.
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
selftest/target/Samba4.pm | 28 ++
|
|
|
cb0e04 |
source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++-
|
|
|
cb0e04 |
2 files changed, 271 insertions(+), 1 deletion(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
index b61acbf8e57b..087860b9ebdd 100755
|
|
|
cb0e04 |
--- a/selftest/target/Samba4.pm
|
|
|
cb0e04 |
+++ b/selftest/target/Samba4.pm
|
|
|
cb0e04 |
@@ -1645,9 +1645,23 @@ sub provision_ad_dc_ntvfs($$$)
|
|
|
cb0e04 |
server require schannel:schannel10\$ = no
|
|
|
cb0e04 |
server require schannel:schannel11\$ = no
|
|
|
cb0e04 |
server require schannel:torturetest\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel0\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel1\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel2\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel3\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel4\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel5\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel6\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel7\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel8\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel9\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel10\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel11\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:torturetest\$ = no
|
|
|
cb0e04 |
|
|
|
cb0e04 |
# needed for 'samba.tests.auth_log' tests
|
|
|
cb0e04 |
server require schannel:LOCALDC\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:LOCALDC\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
push (@{$extra_provision_options}, "--use-ntvfs");
|
|
|
cb0e04 |
my $ret = $self->provision($prefix,
|
|
|
cb0e04 |
@@ -2049,6 +2063,19 @@ sub provision_ad_dc($$$$$$$)
|
|
|
cb0e04 |
server require schannel:schannel10\$ = no
|
|
|
cb0e04 |
server require schannel:schannel11\$ = no
|
|
|
cb0e04 |
server require schannel:torturetest\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel0\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel1\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel2\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel3\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel4\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel5\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel6\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel7\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel8\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel9\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel10\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:schannel11\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:torturetest\$ = no
|
|
|
cb0e04 |
|
|
|
cb0e04 |
auth event notification = true
|
|
|
cb0e04 |
dsdb event notification = true
|
|
|
cb0e04 |
@@ -2742,6 +2769,7 @@ sub setup_ad_dc_smb1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
# needed for 'samba.tests.auth_log' tests
|
|
|
cb0e04 |
server require schannel:ADDCSMB1\$ = no
|
|
|
cb0e04 |
+ server schannel require seal:ADDCSMB1\$ = no
|
|
|
cb0e04 |
";
|
|
|
cb0e04 |
return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
index 624c8d407242..ddcb8487a56d 100644
|
|
|
cb0e04 |
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
|
cb0e04 |
@@ -68,9 +68,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
|
|
cb0e04 |
bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
|
|
cb0e04 |
int schannel = lpcfg_server_schannel(lp_ctx);
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
|
|
|
cb0e04 |
static bool warned_global_nt4_once = false;
|
|
|
cb0e04 |
static bool warned_global_md5_once = false;
|
|
|
cb0e04 |
static bool warned_global_schannel_once = false;
|
|
|
cb0e04 |
+ static bool warned_global_seal_once = false;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (global_allow_nt4_crypto && !warned_global_nt4_once) {
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
@@ -102,6 +104,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
|
|
cb0e04 |
warned_global_schannel_once = true;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ if (!global_require_seal && !warned_global_seal_once) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We want admins to notice their misconfiguration!
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ D_ERR("CVE-2022-38023 (and others): "
|
|
|
cb0e04 |
+ "Please configure 'server schannel require seal = yes' (the default), "
|
|
|
cb0e04 |
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
|
cb0e04 |
+ warned_global_seal_once = true;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
return dcesrv_interface_bind_reject_connect(context, iface);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -886,6 +898,10 @@ struct dcesrv_netr_check_schannel_state {
|
|
|
cb0e04 |
bool schannel_required;
|
|
|
cb0e04 |
bool schannel_explicitly_set;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ bool seal_global_required;
|
|
|
cb0e04 |
+ bool seal_required;
|
|
|
cb0e04 |
+ bool seal_explicitly_set;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
NTSTATUS result;
|
|
|
cb0e04 |
};
|
|
|
cb0e04 |
|
|
|
cb0e04 |
@@ -900,6 +916,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
|
|
|
cb0e04 |
bool schannel_global_required = (schannel == true);
|
|
|
cb0e04 |
bool schannel_required = schannel_global_required;
|
|
|
cb0e04 |
const char *explicit_opt = NULL;
|
|
|
cb0e04 |
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
|
|
|
cb0e04 |
+ bool require_seal = global_require_seal;
|
|
|
cb0e04 |
+ const char *explicit_seal_opt = NULL;
|
|
|
cb0e04 |
#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
|
|
|
cb0e04 |
struct dcesrv_netr_check_schannel_state *s = NULL;
|
|
|
cb0e04 |
NTSTATUS status;
|
|
|
cb0e04 |
@@ -937,6 +956,19 @@ new_state:
|
|
|
cb0e04 |
s->auth_level = auth_level;
|
|
|
cb0e04 |
s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
+ * need the explicit_opt pointer in order to
|
|
|
cb0e04 |
+ * adjust the debug messages.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
|
|
|
cb0e04 |
+ NULL,
|
|
|
cb0e04 |
+ "server schannel require seal",
|
|
|
cb0e04 |
+ creds->account_name);
|
|
|
cb0e04 |
+ if (explicit_seal_opt != NULL) {
|
|
|
cb0e04 |
+ require_seal = lp_bool(explicit_seal_opt);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
/*
|
|
|
cb0e04 |
* We don't use lpcfg_parm_bool(), as we
|
|
|
cb0e04 |
* need the explicit_opt pointer in order to
|
|
|
cb0e04 |
@@ -954,6 +986,10 @@ new_state:
|
|
|
cb0e04 |
s->schannel_required = schannel_required;
|
|
|
cb0e04 |
s->schannel_explicitly_set = explicit_opt != NULL;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ s->seal_global_required = global_require_seal;
|
|
|
cb0e04 |
+ s->seal_required = require_seal;
|
|
|
cb0e04 |
+ s->seal_explicitly_set = explicit_seal_opt != NULL;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
status = dcesrv_iface_state_store_conn(dce_call,
|
|
|
cb0e04 |
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
|
|
|
cb0e04 |
s);
|
|
|
cb0e04 |
@@ -975,6 +1011,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
|
|
cb0e04 |
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
|
|
|
cb0e04 |
TALLOC_CTX *frame = talloc_stackframe();
|
|
|
cb0e04 |
unsigned int dbg_lvl = DBGLVL_DEBUG;
|
|
|
cb0e04 |
const char *opname = "<unknown>";
|
|
|
cb0e04 |
@@ -1004,18 +1044,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
- "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
|
|
|
cb0e04 |
+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
|
|
|
cb0e04 |
+ {
|
|
|
cb0e04 |
+ s->result = NT_STATUS_OK;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
|
|
|
cb0e04 |
+ } else if (!s->schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set && !s->seal_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
|
|
|
cb0e04 |
+ } else if (!s->seal_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
"%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
"client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
opname, opnum, reason,
|
|
|
cb0e04 |
log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
nt_errstr(s->result)));
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
+ "Option 'server require schannel:%s = no' not needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set && !s->seal_required) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: "
|
|
|
cb0e04 |
+ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
|
cb0e04 |
+ if (s->seal_required) {
|
|
|
cb0e04 |
+ s->result = NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ dbg_lvl = DBGLVL_NOTICE;
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "from client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ D_NOTICE("CVE-2022-38023: Option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = yes' "
|
|
|
cb0e04 |
+ "rejects access for client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_warn_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "not needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
s->result = NT_STATUS_OK;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
if (s->schannel_explicitly_set && !s->schannel_required) {
|
|
|
cb0e04 |
@@ -1023,6 +1152,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
} else if (!s->schannel_required) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set && !s->seal_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
+ } else if (!s->seal_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
"CVE-2020-1472(ZeroLogon): "
|
|
|
cb0e04 |
@@ -1039,7 +1173,77 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set && !s->seal_required) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: "
|
|
|
cb0e04 |
+ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
+ } else if (!s->seal_required) {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * admins should set
|
|
|
cb0e04 |
+ * server schannel require seal:COMPUTER$ = no
|
|
|
cb0e04 |
+ * in order to avoid the level 0 messages.
|
|
|
cb0e04 |
+ * Over time they can switch the global value
|
|
|
cb0e04 |
+ * to be strict.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: "
|
|
|
cb0e04 |
+ "Please use 'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "for '%s' to avoid this warning!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ TALLOC_FREE(frame);
|
|
|
cb0e04 |
+ return s->result;
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->seal_required) {
|
|
|
cb0e04 |
+ s->result = NT_STATUS_ACCESS_DENIED;
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!s->schannel_explicitly_set) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
+ } else if (s->schannel_required) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
+ "%s request (opnum[%u]) %s schannel from "
|
|
|
cb0e04 |
+ "from client_account[%s] client_computer_name[%s] %s\n",
|
|
|
cb0e04 |
+ opname, opnum, reason,
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
+ nt_errstr(s->result)));
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ D_NOTICE("CVE-2022-38023: Option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = yes' "
|
|
|
cb0e04 |
+ "rejects access for client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!s->schannel_explicitly_set) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2020_1472_error_level, (
|
|
|
cb0e04 |
+ "CVE-2020-1472(ZeroLogon): Check if option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
+ } else if (s->schannel_required) {
|
|
|
cb0e04 |
+ D_NOTICE("CVE-2022-38023: Option "
|
|
|
cb0e04 |
+ "'server require schannel:%s = yes' "
|
|
|
cb0e04 |
+ "also rejects access for client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
@@ -1052,6 +1256,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (!s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
DEBUG(dbg_lvl, (
|
|
|
cb0e04 |
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
|
|
cb0e04 |
@@ -1073,12 +1280,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
"might be needed for a legacy client.\n",
|
|
|
cb0e04 |
log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (!s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Check if option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "might be needed for a legacy client.\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
TALLOC_FREE(frame);
|
|
|
cb0e04 |
return s->result;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
s->result = NT_STATUS_OK;
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
|
|
cb0e04 |
} else {
|
|
|
cb0e04 |
@@ -1094,6 +1314,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
|
|
cb0e04 |
log_escape(frame, creds->computer_name),
|
|
|
cb0e04 |
nt_errstr(s->result)));
|
|
|
cb0e04 |
|
|
|
cb0e04 |
+ if (s->seal_explicitly_set) {
|
|
|
cb0e04 |
+ D_INFO("CVE-2022-38023: Option "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "still needed for '%s'!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name));
|
|
|
cb0e04 |
+ } else {
|
|
|
cb0e04 |
+ /*
|
|
|
cb0e04 |
+ * admins should set
|
|
|
cb0e04 |
+ * server schannel require seal:COMPUTER$ = no
|
|
|
cb0e04 |
+ * in order to avoid the level 0 messages.
|
|
|
cb0e04 |
+ * Over time they can switch the global value
|
|
|
cb0e04 |
+ * to be strict.
|
|
|
cb0e04 |
+ */
|
|
|
cb0e04 |
+ DEBUG(CVE_2022_38023_error_level, (
|
|
|
cb0e04 |
+ "CVE-2022-38023: Please use "
|
|
|
cb0e04 |
+ "'server schannel require seal:%s = no' "
|
|
|
cb0e04 |
+ "for '%s' to avoid this warning!\n",
|
|
|
cb0e04 |
+ log_escape(frame, creds->account_name),
|
|
|
cb0e04 |
+ log_escape(frame, creds->computer_name)));
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (s->schannel_explicitly_set) {
|
|
|
cb0e04 |
D_INFO("CVE-2020-1472(ZeroLogon): Option "
|
|
|
cb0e04 |
"'server require schannel:%s = no' "
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From 8a9aed5d0dab28a20004ed6cc73f2472b11fbd41 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Wed, 30 Nov 2022 15:13:47 +0100
|
|
|
cb0e04 |
Subject: [PATCH 29/30] CVE-2022-38023 testparm: warn about server/client
|
|
|
cb0e04 |
schannel != yes
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source3/utils/testparm.c | 20 +++++++++++++++++---
|
|
|
cb0e04 |
1 file changed, 17 insertions(+), 3 deletions(-)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
|
|
cb0e04 |
index 27a8bc1fb8e8..b3ddd48b3f1d 100644
|
|
|
cb0e04 |
--- a/source3/utils/testparm.c
|
|
|
cb0e04 |
+++ b/source3/utils/testparm.c
|
|
|
cb0e04 |
@@ -598,11 +598,25 @@ static int do_global_checks(void)
|
|
|
cb0e04 |
ret = 1;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
- if (!lp_server_schannel()) {
|
|
|
cb0e04 |
+ if (lp_server_schannel() != true) { /* can be 'auto' */
|
|
|
cb0e04 |
fprintf(stderr,
|
|
|
cb0e04 |
- "WARNING: You have configured 'server schannel = no'. "
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'server schannel = yes' (the default). "
|
|
|
cb0e04 |
"Your server is vulernable to \"ZeroLogon\" "
|
|
|
cb0e04 |
- "(CVE-2020-1472)\n\n");
|
|
|
cb0e04 |
+ "(CVE-2020-1472)\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'server require schannel:COMPUTERACCOUNT$ = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (lp_client_schannel() != true) { /* can be 'auto' */
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'client schannel = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to \"ZeroLogon\" "
|
|
|
cb0e04 |
+ "(CVE-2020-1472)\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'client schannel:NETBIOSDOMAIN = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
|
|
|
cb0e04 |
return ret;
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|
|
|
cb0e04 |
|
|
|
cb0e04 |
From a3e10bf4b8fc328167e7219337742bf12eb41111 Mon Sep 17 00:00:00 2001
|
|
|
cb0e04 |
From: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Date: Tue, 6 Dec 2022 13:36:17 +0100
|
|
|
cb0e04 |
Subject: [PATCH 30/30] CVE-2022-38023 testparm: warn about unsecure schannel
|
|
|
cb0e04 |
related options
|
|
|
cb0e04 |
|
|
|
cb0e04 |
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
cb0e04 |
|
|
|
cb0e04 |
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
|
cb0e04 |
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
cb0e04 |
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
|
|
|
cb0e04 |
---
|
|
|
cb0e04 |
source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++
|
|
|
cb0e04 |
1 file changed, 61 insertions(+)
|
|
|
cb0e04 |
|
|
|
cb0e04 |
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
|
|
cb0e04 |
index b3ddd48b3f1d..02ef3de83ae5 100644
|
|
|
cb0e04 |
--- a/source3/utils/testparm.c
|
|
|
cb0e04 |
+++ b/source3/utils/testparm.c
|
|
|
cb0e04 |
@@ -608,6 +608,37 @@ static int do_global_checks(void)
|
|
|
cb0e04 |
"'server require schannel:COMPUTERACCOUNT$ = no' "
|
|
|
cb0e04 |
"options\n\n");
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (lp_allow_nt4_crypto()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'allow nt4 crypto = no' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023 and others!\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!lp_reject_md5_clients()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'reject md5 clients = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023!\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!lp_server_schannel_require_seal()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'server schannel require seal = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023!\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'server schannel require seal:COMPUTERACCOUNT$ = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+
|
|
|
cb0e04 |
if (lp_client_schannel() != true) { /* can be 'auto' */
|
|
|
cb0e04 |
fprintf(stderr,
|
|
|
cb0e04 |
"WARNING: You have not configured "
|
|
|
cb0e04 |
@@ -618,6 +649,36 @@ static int do_global_checks(void)
|
|
|
cb0e04 |
"'client schannel:NETBIOSDOMAIN = no' "
|
|
|
cb0e04 |
"options\n\n");
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
+ if (!lp_reject_md5_servers()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'reject md5 servers = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'reject md5 servers:NETBIOSDOMAIN = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!lp_require_strong_key()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'require strong key = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'require strong key:NETBIOSDOMAIN = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
+ if (!lp_winbind_sealed_pipes()) {
|
|
|
cb0e04 |
+ fprintf(stderr,
|
|
|
cb0e04 |
+ "WARNING: You have not configured "
|
|
|
cb0e04 |
+ "'winbind sealed pipes = yes' (the default). "
|
|
|
cb0e04 |
+ "Your server is vulernable to "
|
|
|
cb0e04 |
+ "CVE-2022-38023\n"
|
|
|
cb0e04 |
+ "If required use individual "
|
|
|
cb0e04 |
+ "'winbind sealed pipes:NETBIOSDOMAIN = no' "
|
|
|
cb0e04 |
+ "options\n\n");
|
|
|
cb0e04 |
+ }
|
|
|
cb0e04 |
|
|
|
cb0e04 |
return ret;
|
|
|
cb0e04 |
}
|
|
|
cb0e04 |
--
|
|
|
cb0e04 |
2.34.1
|
|
|
cb0e04 |
|