From f775874f1c9e388d51fe04cb9df849c66bc6e8b6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:41:10 +0100
Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG
in nsupdate-gss
This is just an example script that's not directly used by samba,
but we should avoid sending delegated credentials to dns servers.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source4/scripting/bin/nsupdate-gss | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss
index dec5916..509220d 100755
--- a/source4/scripting/bin/nsupdate-gss
+++ b/source4/scripting/bin/nsupdate-gss
@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$)
my $flags =
GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG |
GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG |
- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG;
+ GSS_C_INTEG_FLAG;
$status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE,
--
1.9.1
From 1bee1eb5d75191e142c503cf9c5dc36df2453307 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:42:59 +0100
Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG
We should only use GSS_C_DELEG_POLICY_FLAG in order to let
the KDC decide if we should send delegated credentials to
a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source3/librpc/crypto/gse.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c
index 963c98a..c4c4bbc 100644
--- a/source3/librpc/crypto/gse.c
+++ b/source3/librpc/crypto/gse.c
@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx,
memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc));
gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG |
- GSS_C_DELEG_FLAG |
GSS_C_DELEG_POLICY_FLAG |
GSS_C_REPLAY_FLAG |
GSS_C_SEQUENCE_FLAG;
--
1.9.1
From 2c9d1648745ddc9facaf5b9cc84ea7f1117d7710 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2016 11:44:22 +0100
Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use
GSS_C_DELEG_FLAG by default
This disabled the usage of GSS_C_DELEG_FLAG by default, as
GSS_C_DELEG_POLICY_FLAG is still used by default we let the
KDC decide if we should send delegated credentials to a remote server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Alexander Bokovoy <ab@samba.org>
Reviewed-by: Simo Sorce <idra@samba.org>
---
source4/auth/gensec/gensec_gssapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c
index e0b2bf2..e2994f6 100644
--- a/source4/auth/gensec/gensec_gssapi.c
+++ b/source4/auth/gensec/gensec_gssapi.c
@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security)
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG;
}
- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) {
+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) {
gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG;
}
if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) {
--
1.9.1