diff --git a/SOURCES/samba-4.10-redhat.patch b/SOURCES/samba-4.10-redhat.patch index 9ca06c2..2923d4a 100644 --- a/SOURCES/samba-4.10-redhat.patch +++ b/SOURCES/samba-4.10-redhat.patch @@ -1,7 +1,7 @@ From 9aa816f5017bd38cbb9af2af5a7c385647e4f76d Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Tue, 7 Jan 2020 19:25:53 +0200 -Subject: [PATCH 001/101] s3-rpcserver: fix security level check for +Subject: [PATCH 001/142] s3-rpcserver: fix security level check for DsRGetForestTrustInformation MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -80,13 +80,13 @@ index d799ba4feef..87613b99fde 100644 } -- -2.37.2 +2.39.0 From e71fddb9ad5275a222d96bdcee06571a9a8c73c8 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 16:50:45 +0200 -Subject: [PATCH 002/101] Add a test to check dNSHostName with netbios aliases +Subject: [PATCH 002/142] Add a test to check dNSHostName with netbios aliases BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -132,13 +132,13 @@ index 95c0cf76f90..6073ea972f9 100755 # Test createcomputer option of 'net ads join' # -- -2.37.2 +2.39.0 From e80e373485818eb7faebf5c9aae10d82fbc4e2e2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:52:46 +0200 -Subject: [PATCH 003/101] Fix accidental overwrite of dnsHostName by the last +Subject: [PATCH 003/142] Fix accidental overwrite of dnsHostName by the last netbios alias BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -186,13 +186,13 @@ index 9d4f656ffec..a31011b0ff8 100644 status = ADS_ERROR_LDAP(LDAP_NO_MEMORY); goto done; -- -2.37.2 +2.39.0 From 7ca5f9b2956ec41777837a7e14800a4345505ed6 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 24 Oct 2019 19:04:51 +0300 -Subject: [PATCH 004/101] Refactor ads_keytab_add_entry() to make it iterable +Subject: [PATCH 004/142] Refactor ads_keytab_add_entry() to make it iterable so we can more easily add msDS-AdditionalDnsHostName entries. @@ -453,13 +453,13 @@ index 97d5535041c..0f450a09df5 100644 out: SAFE_FREE(salt_princ_s); -- -2.37.2 +2.39.0 From 087d6dd4c4f25860643ab5920a1b2c0c70e5551b Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 17:55:12 +0200 -Subject: [PATCH 005/101] Add a test for msDS-AdditionalDnsHostName entries in +Subject: [PATCH 005/142] Add a test for msDS-AdditionalDnsHostName entries in keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -501,13 +501,13 @@ index 6073ea972f9..a40b477a173 100755 testit "leave" $VALGRIND $net_tool ads leave -U$DC_USERNAME%$DC_PASSWORD || failed=`expr $failed + 1` -- -2.37.2 +2.39.0 From 1ae32dddad89cdb75ae2c8fb3e7378ce6f5ad6af Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:36:28 +0200 -Subject: [PATCH 006/101] Add msDS-AdditionalDnsHostName entries to the keytab +Subject: [PATCH 006/142] Add msDS-AdditionalDnsHostName entries to the keytab BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -648,13 +648,13 @@ index db2b72ab1b5..02a628ee0e6 100644 { LDAPMessage *res = NULL; -- -2.37.2 +2.39.0 From 939b9265a533393189ef3c513e77b2cb009a51d5 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Wed, 27 May 2020 15:54:12 +0200 -Subject: [PATCH 007/101] Add net-ads-join dnshostname=fqdn option +Subject: [PATCH 007/142] Add net-ads-join dnshostname=fqdn option BUG: https://bugzilla.samba.org/show_bug.cgi?id=14396 @@ -794,13 +794,13 @@ index a40b477a173..85257f445d8 100755 exit $failed -- -2.37.2 +2.39.0 From 25a6679a5260dafde7a7d2aed9bfe43eaf083b1c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:04:57 +0200 -Subject: [PATCH 008/101] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 008/142] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() It's good to have just a single isolated function that will generate @@ -851,13 +851,13 @@ index 82febe74440..82797d453ed 100644 void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); -- -2.37.2 +2.39.0 From 1e8ad7efe35d8b79fef387ff709d6a499565c39a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:07:30 +0200 -Subject: [PATCH 009/101] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of +Subject: [PATCH 009/142] CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to @@ -1007,13 +1007,13 @@ index 026d86d50e4..e11014922f8 100644 torture_assert_ntstatus_ok(tctx, dcerpc_netr_ServerReqChallenge_r(b, tctx, &r), "ServerReqChallenge"); -- -2.37.2 +2.39.0 From 74ee204ad4647d0d7a2097124652cbcd43406c7d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:08:38 +0200 -Subject: [PATCH 010/101] CVE-2020-1472(ZeroLogon): libcli/auth: make use of +Subject: [PATCH 010/142] CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate @@ -1041,13 +1041,13 @@ index 817d2cd041a..0f6ca11ff96 100644 subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, state->binding_handle, -- -2.37.2 +2.39.0 From 10196846d019d0e2ccef51f32ddd39fc17ca60aa Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 011/101] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: +Subject: [PATCH 011/142] CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1074,13 +1074,13 @@ index 87613b99fde..86b2f343e82 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.37.2 +2.39.0 From 215aca6d11b900ee3cf11568d27bce77e0567653 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:10:53 +0200 -Subject: [PATCH 012/101] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: +Subject: [PATCH 012/142] CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. @@ -1107,13 +1107,13 @@ index 023adfd99e9..de260d8051d 100644 *r->out.return_credentials = pipe_state->server_challenge; -- -2.37.2 +2.39.0 From 4551bf623426e8c543b287807d447feb69bb0f09 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:15:26 +0200 -Subject: [PATCH 013/101] CVE-2020-1472(ZeroLogon): libcli/auth: add +Subject: [PATCH 013/142] CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, @@ -1177,13 +1177,13 @@ index 82797d453ed..ad768682b9f 100644 void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); -- -2.37.2 +2.39.0 From f7e09421ace8fe60c0110770d909800d21ae6c8e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 16:17:29 +0200 -Subject: [PATCH 014/101] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak +Subject: [PATCH 014/142] CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: @@ -1262,13 +1262,13 @@ index d319d9b879e..394505d166d 100644 ) -- -2.37.2 +2.39.0 From 6bc86fb69bf50c89a334fd2dcbce6999a2360fb7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 19:20:25 +0200 -Subject: [PATCH 015/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 015/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1357,13 +1357,13 @@ index de260d8051d..acbf077c6c7 100644 ret = gendb_search(sam_ctx, mem_ctx, NULL, &res, attrs, -- -2.37.2 +2.39.0 From 1f8dec1cbb37f3406d999425590f8a923586ccac Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Wed, 16 Sep 2020 12:53:50 -0700 -Subject: [PATCH 016/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 016/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -1502,13 +1502,13 @@ index 86b2f343e82..fd9127b386f 100644 p->session_info, p->msg_ctx, -- -2.37.2 +2.39.0 From 2ad269be74481789ded62a3dcb538709c6d6e291 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:18:45 +0200 -Subject: [PATCH 017/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 017/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. @@ -1585,13 +1585,13 @@ index acbf077c6c7..b4326a4ecaa 100644 /* -- -2.37.2 +2.39.0 From 57941290adb9a2fd4be9aa4a70f879a684b38dfd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 16 Sep 2020 10:56:53 +0200 -Subject: [PATCH 018/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: +Subject: [PATCH 018/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". @@ -1632,13 +1632,13 @@ index b4326a4ecaa..e7bafb31e83 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.37.2 +2.39.0 From 779b37e825fe406892ff77be18c098d314cd387d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 13:37:26 +0200 -Subject: [PATCH 019/101] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log +Subject: [PATCH 019/142] CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1759,13 +1759,13 @@ index e7bafb31e83..7668a9eb923 100644 return NT_STATUS_OK; } -- -2.37.2 +2.39.0 From 60b83fbda31c53c592a02f0ed43356a912021021 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:57:22 +0200 -Subject: [PATCH 020/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 020/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1860,13 +1860,13 @@ index fd9127b386f..8541571b459 100644 -- -2.37.2 +2.39.0 From c0a188b2696edb8f3ae9f7f56a820b11358bad98 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:23:16 +0200 -Subject: [PATCH 021/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: +Subject: [PATCH 021/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -1911,13 +1911,13 @@ index 8541571b459..f9b10103bd5 100644 *creds_out = creds; return NT_STATUS_OK; -- -2.37.2 +2.39.0 From c9550b81b55316cf5d667502885fc248a5999fb5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?G=C3=BCnther=20Deschner?= Date: Thu, 17 Sep 2020 14:42:52 +0200 -Subject: [PATCH 022/101] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log +Subject: [PATCH 022/142] CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -2039,13 +2039,13 @@ index f9b10103bd5..7f6704adbda 100644 return NT_STATUS_OK; } -- -2.37.2 +2.39.0 From 63f03e2e29e81f890a5d88c726cced6d3e7bbf5d Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 17 Sep 2020 17:27:54 +0200 -Subject: [PATCH 023/101] CVE-2020-1472(ZeroLogon): docs-xml: document 'server +Subject: [PATCH 023/142] CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 @@ -2141,13 +2141,13 @@ index 489492d79b1..b682d086f76 100644 + -- -2.37.2 +2.39.0 From 8a40da45b7f4e7a9110daf010383c4fce30bd9b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 12:39:54 +1200 -Subject: [PATCH 024/101] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty +Subject: [PATCH 024/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd Ensure that an empty machine account password can't be set by @@ -2240,13 +2240,13 @@ index e11014922f8..0ba45f0c1da 100644 /* now try a random password */ password = generate_random_password(tctx, 8, 255); -- -2.37.2 +2.39.0 From 341a448cb69557410fa79dbb8a3d4adbab79d5b6 Mon Sep 17 00:00:00 2001 From: Gary Lockyer Date: Fri, 18 Sep 2020 15:57:34 +1200 -Subject: [PATCH 025/101] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated +Subject: [PATCH 025/142] CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge Ensure that client challenges with the first 5 bytes identical are @@ -2615,13 +2615,13 @@ index 0ba45f0c1da..97c16688bc9 100644 } -- -2.37.2 +2.39.0 From 268303632f79d7395b452172c06b25ad68fe35fb Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Fri, 10 Jul 2020 15:09:33 -0700 -Subject: [PATCH 026/101] s4: torture: Add smb2.notify.handle-permissions test. +Subject: [PATCH 026/142] s4: torture: Add smb2.notify.handle-permissions test. Add knownfail entry. @@ -2744,13 +2744,13 @@ index ebb4f8a4f8e..b017491c8fb 100644 suite->description = talloc_strdup(suite, "SMB2-NOTIFY tests"); -- -2.37.2 +2.39.0 From 448d4e99f8883a07589264cfca474c3dff8b5942 Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Tue, 7 Jul 2020 18:25:23 -0700 -Subject: [PATCH 027/101] s3: smbd: Ensure change notifies can't get set unless +Subject: [PATCH 027/142] s3: smbd: Ensure change notifies can't get set unless the directory handle is open for SEC_DIR_LIST. Remove knownfail entry. @@ -2795,13 +2795,13 @@ index 44c0b09432e..d23c03bce41 100644 DEBUG(1, ("change_notify_create: fsp->notify != NULL, " "fname = %s\n", fsp->fsp_name->base_name)); -- -2.37.2 +2.39.0 From 041c86926999594f13b884522b1d9fcc65f92a52 Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:49:25 +0200 -Subject: [PATCH 028/101] CVE-2020-14323 winbind: Fix invalid lookupsids DoS +Subject: [PATCH 028/142] CVE-2020-14323 winbind: Fix invalid lookupsids DoS A lookupsids request without extra_data will lead to "state->domain==NULL", which makes winbindd_lookupsids_recv trying to dereference it. @@ -2829,13 +2829,13 @@ index d28b5fa9f01..a289fd86f0f 100644 } if (request->extra_data.data[request->extra_len-1] != '\0') { -- -2.37.2 +2.39.0 From e6e77a3a503f9223ecbc2d32a1d24e20f834659f Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Thu, 9 Jul 2020 21:48:57 +0200 -Subject: [PATCH 029/101] CVE-2020-14323 torture4: Add a simple test for +Subject: [PATCH 029/142] CVE-2020-14323 torture4: Add a simple test for invalid lookup_sids winbind call We can't add this test before the fix, add it to knownfail and have the fix @@ -2897,13 +2897,13 @@ index 9745b621ca9..71f248c0d61 100644 suite->description = talloc_strdup(suite, "WINBIND - struct based protocol tests"); -- -2.37.2 +2.39.0 From 2b4763940d1826a2b4e5eaa1e2df338004cd9af0 Mon Sep 17 00:00:00 2001 From: Laurent Menase Date: Wed, 20 May 2020 12:31:53 +0200 -Subject: [PATCH 030/101] winbind: Fix a memleak +Subject: [PATCH 030/142] winbind: Fix a memleak Bug: https://bugzilla.samba.org/show_bug.cgi?id=14388 Signed-off-by: Laurent Menase @@ -2931,13 +2931,13 @@ index 556b4523866..325ba1abd82 100644 } -- -2.37.2 +2.39.0 From accc423a4eb9170ab0dbe4b2ba90ce83790e7a16 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 13:39:58 +0200 -Subject: [PATCH 031/101] s3:tests: Add test for 'valid users = DOMAIN\%U' +Subject: [PATCH 031/142] s3:tests: Add test for 'valid users = DOMAIN\%U' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14467 @@ -2989,13 +2989,13 @@ index 1a46f11c85d..c813a8f9def 100755 + exit $failed -- -2.37.2 +2.39.0 From 1c594e3734e3ffd2dfc615897ac95792878f2df4 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Mon, 17 Aug 2020 14:12:48 +0200 -Subject: [PATCH 032/101] s3:smbd: Fix %U substitutions if it contains a domain +Subject: [PATCH 032/142] s3:smbd: Fix %U substitutions if it contains a domain name 'valid users = DOMAIN\%U' worked with Samba 3.6 and broke in a newer @@ -3050,13 +3050,13 @@ index 3cbf7f318a2..0705e197975 100644 if (sharename != NULL) { name = talloc_string_sub(mem_ctx, name, "%S", sharename); -- -2.37.2 +2.39.0 From d93ddae23e1b378f771134e93d1b15e61e2278af Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Thu, 9 Jul 2020 11:48:26 +0200 -Subject: [PATCH 033/101] docs: Fix documentation for require_membership_of of +Subject: [PATCH 033/142] docs: Fix documentation for require_membership_of of pam_winbind BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3088,13 +3088,13 @@ index a9a227f1647..a61fb2d58e5 100644 -- -2.37.2 +2.39.0 From c9aea952eb3f8d83701abd6db4d48c8d93a8517a Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Fri, 17 Jul 2020 12:14:16 +0200 -Subject: [PATCH 034/101] docs: Fix documentation for require_membership_of of +Subject: [PATCH 034/142] docs: Fix documentation for require_membership_of of pam_winbind.conf BUG: https://bugzilla.samba.org/show_bug.cgi?id=14358 @@ -3127,13 +3127,13 @@ index fcac1ee7036..d81a0bd6eba 100644 This option only operates during password authentication, and will not restrict access if a password is not required for any reason (such as SSH key-based login). -- -2.37.2 +2.39.0 From b04be6ffd3a1c9eda1f1dc78d60ad7b3a9b7471d Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 21:05:07 +0300 -Subject: [PATCH 035/101] Fix a typo in recent net man page changes +Subject: [PATCH 035/142] Fix a typo in recent net man page changes BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3158,13 +3158,13 @@ index 69e18df8b6c..9b1d4458acc 100644 -- -2.37.2 +2.39.0 From a5a7dac759c2570861732c68efefb62371a29565 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 16 Jun 2020 22:01:49 +0300 -Subject: [PATCH 036/101] selftest: add tests for binary +Subject: [PATCH 036/142] selftest: add tests for binary msDS-AdditionalDnsHostName Like the short names added implicitly by Windows DC. @@ -3236,13 +3236,13 @@ index 85257f445d8..eef4a31a6a7 100755 rm -f $dedicated_keytab_file -- -2.37.2 +2.39.0 From 2769976aaa13474d2b5ee7b58ee17d5824dfa5a2 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Thu, 11 Jun 2020 16:51:27 +0300 -Subject: [PATCH 037/101] Properly handle msDS-AdditionalDnsHostName returned +Subject: [PATCH 037/142] Properly handle msDS-AdditionalDnsHostName returned from Windows DC Windows DC adds short names for each specified msDS-AdditionalDnsHostName @@ -3330,13 +3330,13 @@ index 02a628ee0e6..2684bba63ec 100644 DEBUG(1, ("Host account for %s does not have msDS-AdditionalDnsHostName.\n", machine_name)); -- -2.37.2 +2.39.0 From 9727953d482a3849d4ac1f40486bc567f6b77067 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Sat, 20 Jun 2020 17:17:33 +0200 -Subject: [PATCH 038/101] Fix usage of ldap_get_values_len for +Subject: [PATCH 038/142] Fix usage of ldap_get_values_len for msDS-AdditionalDnsHostName BUG: https://bugzilla.samba.org/show_bug.cgi?id=14406 @@ -3372,13 +3372,13 @@ index 2684bba63ec..d1ce9cee2f0 100644 return NULL; } -- -2.37.2 +2.39.0 From ec4cfe786d8c3cb67bb0e9224ae1822902c672d3 Mon Sep 17 00:00:00 2001 From: Isaac Boukris Date: Tue, 15 Dec 2020 15:17:04 +0100 -Subject: [PATCH 039/101] HACK:s3:winbind: Rely on the domain child for online +Subject: [PATCH 039/142] HACK:s3:winbind: Rely on the domain child for online check --- @@ -3435,13 +3435,13 @@ index 6e3277e5529..35b76a367aa 100644 /* Handle online/offline messages. */ -- -2.37.2 +2.39.0 From 958bed1a1e5c9f334a1859bef14f4fe1657c3e49 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 9 Sep 2020 16:00:52 +0200 -Subject: [PATCH 040/101] s3:smbd: Use fsp al the talloc memory context +Subject: [PATCH 040/142] s3:smbd: Use fsp al the talloc memory context Somehow the lck pointer gets freed before we call TALLOC_FREE(). @@ -3466,13 +3466,13 @@ index de557f53a20..9a24e331ab1 100644 &mtimespec); -- -2.37.2 +2.39.0 From 2591ae5d6a1dbd71391801b7bdf20bd37c8e8375 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 12:58:31 +0100 -Subject: [PATCH 041/101] Revert "s3:smbd: Use fsp al the talloc memory +Subject: [PATCH 041/142] Revert "s3:smbd: Use fsp al the talloc memory context" This reverts commit 958bed1a1e5c9f334a1859bef14f4fe1657c3e49. @@ -3494,13 +3494,13 @@ index 9a24e331ab1..de557f53a20 100644 &mtimespec); -- -2.37.2 +2.39.0 From 2438619ec7ef18816f6b92c87a094851223d2bb1 Mon Sep 17 00:00:00 2001 From: Khem Raj Date: Wed, 22 Jul 2020 22:42:09 -0700 -Subject: [PATCH 042/101] nsswitch/nsstest.c: Avoid nss function conflicts with +Subject: [PATCH 042/142] nsswitch/nsstest.c: Avoid nss function conflicts with glibc nss.h glibc 2.32 will define these varibles [1] which results in conflicts @@ -3597,13 +3597,13 @@ index 6d92806cffc..46f96795f39 100644 static void nss_test_errors(void) -- -2.37.2 +2.39.0 From d5410b038bb3b1d31783c0d825dc933497f6eeaa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:30:08 +0100 -Subject: [PATCH 043/101] lib:util: Add basic memcache unit test +Subject: [PATCH 043/142] lib:util: Add basic memcache unit test BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3773,13 +3773,13 @@ index e7639c4da27..e3f7d9acb4a 100644 [os.path.join(bindir(), "default/libcli/auth/test_ntlm_check")]) plantestsuite("samba.unittests.test_registry_regfio", "none", -- -2.37.2 +2.39.0 From 7f6661b3c60319073d7fd58906b9a3728f421fed Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 3 Feb 2021 10:37:12 +0100 -Subject: [PATCH 044/101] lib:util: Add cache oversize test for memcache +Subject: [PATCH 044/142] lib:util: Add cache oversize test for memcache BUG: https://bugzilla.samba.org/show_bug.cgi?id=14625 @@ -3857,13 +3857,13 @@ index 00000000000..0a74ace3003 @@ -0,0 +1 @@ +^samba.unittests.memcache.torture_memcache_add_oversize -- -2.37.2 +2.39.0 From 53c7f00510556aea15b640254934e514c1d88c25 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 2 Feb 2021 18:10:38 +0100 -Subject: [PATCH 045/101] lib:util: Avoid free'ing our own pointer +Subject: [PATCH 045/142] lib:util: Avoid free'ing our own pointer MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit @@ -3933,13 +3933,13 @@ index 0a74ace3003..00000000000 @@ -1 +0,0 @@ -^samba.unittests.memcache.torture_memcache_add_oversize -- -2.37.2 +2.39.0 From 138662453fb421609b4fa30487a53a50c085895f Mon Sep 17 00:00:00 2001 From: Jeremy Allison Date: Thu, 5 Nov 2020 15:48:08 -0800 -Subject: [PATCH 046/101] s3: spoolss: Make parameters in call to +Subject: [PATCH 046/142] s3: spoolss: Make parameters in call to user_ok_token() match all other uses. We already have p->session_info->unix_info->unix_name, we don't @@ -3973,13 +3973,13 @@ index f32b465afb6..c0f1803c2fa 100644 !W_ERROR_IS_OK(print_access_check(p->session_info, p->msg_ctx, -- -2.37.2 +2.39.0 From 9550eb620ff23fb9f9414c9de596789aae64aef1 Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Wed, 11 Nov 2020 13:42:06 +0100 -Subject: [PATCH 047/101] s3:smbd: Fix possible null pointer dereference in +Subject: [PATCH 047/142] s3:smbd: Fix possible null pointer dereference in token_contains_name() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14572 @@ -4009,13 +4009,13 @@ index 0705e197975..64276c79fbe 100644 /* Check if username starts with domain name */ if (domain_len > 0) { -- -2.37.2 +2.39.0 From 49a19805c6837df04dce449841d011fc67e0a7df Mon Sep 17 00:00:00 2001 From: Volker Lendecke Date: Sat, 20 Feb 2021 15:50:12 +0100 -Subject: [PATCH 048/101] passdb: Simplify sids_to_unixids() +Subject: [PATCH 048/142] passdb: Simplify sids_to_unixids() Best reviewed with "git show -b", there's a "continue" statement that changes subsequent indentation. @@ -4239,13 +4239,13 @@ index 1bb15ccb8b4..186ba17fda6 100644 } break; -- -2.37.2 +2.39.0 From 8b39b14dcaf104a2f3172917ef926a3fec5db891 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Nov 2016 09:12:59 +0100 -Subject: [PATCH 049/101] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to +Subject: [PATCH 049/142] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos @@ -4301,13 +4301,13 @@ index 6ee4929e8d7..a0a1f4baa56 100644 } else { struct tevent_req *subreq = NULL; -- -2.37.2 +2.39.0 From 41cc796909aeade44c4f1e88923936ba4444278e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Oct 2016 10:40:28 +0200 -Subject: [PATCH 050/101] CVE-2016-2124: s3:libsmb: don't fallback to non +Subject: [PATCH 050/142] CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user @@ -4339,13 +4339,13 @@ index 9bba2665663..9a69d4b7217 100644 /* * SessionSetupAndX was introduced by LANMAN 1.0. So we skip -- -2.37.2 +2.39.0 From 3c1688714ea93cdb7c3088b8a5e5da3025e43b42 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 18 Jan 2020 08:06:45 +0100 -Subject: [PATCH 051/101] s3/auth: use set_current_user_info() in +Subject: [PATCH 051/142] s3/auth: use set_current_user_info() in auth3_generate_session_info_pac() This delays reloading config slightly, but I don't see how could affect @@ -4395,13 +4395,13 @@ index 167d4e00367..0e9c423efef 100644 ntuser, ntdomain, rhost)); -- -2.37.2 +2.39.0 From cf43f0a90b3025077479d37ad905fe730695e739 Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Thu, 4 Nov 2021 11:51:08 +0100 -Subject: [PATCH 052/101] selftest: Fix ktest usermap file +Subject: [PATCH 052/142] selftest: Fix ktest usermap file The user was not mapped: @@ -4430,13 +4430,13 @@ index 9e4da0e6a08..2eb5003112e 100755 close(USERMAP); -- -2.37.2 +2.39.0 From 703f43ea7817fa0ab423134a4c40bf9c37f90274 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 16:42:00 +0200 -Subject: [PATCH 053/101] selftest/Samba3: replace (winbindd => "yes", +Subject: [PATCH 053/142] selftest/Samba3: replace (winbindd => "yes", skip_wait => 1) with (winbindd => "offline") This is much more flexible and concentrates the logic in a single place. @@ -4490,13 +4490,13 @@ index 2eb5003112e..bbbefea44b7 100755 do { if ($ret != 0) { -- -2.37.2 +2.39.0 From eadbcf608a98c8ff90b2d5d91b61fc8100d2cc71 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 22 Oct 2021 16:20:36 +0200 -Subject: [PATCH 054/101] CVE-2020-25719 CVE-2020-25717: selftest: remove +Subject: [PATCH 054/142] CVE-2020-25719 CVE-2020-25717: selftest: remove "gensec:require_pac" settings BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -4535,13 +4535,13 @@ index a7a6c4c9587..0f644661176 100755 log level = $ctx->{server_loglevel} lanman auth = Yes -- -2.37.2 +2.39.0 From 628493ea5f0cda3851ab13a41b8018daa228132b Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 055/101] CVE-2020-25717: s3:winbindd: make sure we default to +Subject: [PATCH 055/142] CVE-2020-25717: s3:winbindd: make sure we default to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4709,13 +4709,13 @@ index 3245c70bb8e..315eb366a52 100644 fstrcpy(resp->data.auth.nt_status_string, nt_errstr(result)); -- -2.37.2 +2.39.0 From fc3b3940208c2f03ea3aeb4b6f7e609fa9f90648 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 17:29:34 +0200 -Subject: [PATCH 056/101] CVE-2020-25717: s4:auth/ntlm: make sure +Subject: [PATCH 056/142] CVE-2020-25717: s4:auth/ntlm: make sure auth_check_password() defaults to r->out.authoritative = true We need to make sure that temporary failures don't trigger a fallback @@ -4745,13 +4745,13 @@ index 3a3fa7eaa59..f754bd5cd44 100644 ev, auth_ctx, -- -2.37.2 +2.39.0 From ecd3a8af56dcd1aad43999a253175aa04b298eef Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 057/101] CVE-2020-25717: s4:torture: start with authoritative +Subject: [PATCH 057/142] CVE-2020-25717: s4:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4801,13 +4801,13 @@ index c237c82bbe7..72d0bf28fdd 100644 DATA_BLOB names_blob, chal, lm_resp, nt_resp; int i; -- -2.37.2 +2.39.0 From 3feb493c3dd5383712a41729ed6f770695acb8b7 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 058/101] CVE-2020-25717: s4:smb_server: start with +Subject: [PATCH 058/142] CVE-2020-25717: s4:smb_server: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4843,13 +4843,13 @@ index 13f13934412..5e817eecd4b 100644 NTSTATUS status; -- -2.37.2 +2.39.0 From e1a1787d1d3b64adc743eab4f626068b438d0e5c Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 059/101] CVE-2020-25717: s4:auth_simple: start with +Subject: [PATCH 059/142] CVE-2020-25717: s4:auth_simple: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4876,13 +4876,13 @@ index fcd9050979d..da8f094a838 100644 NTSTATUS nt_status; -- -2.37.2 +2.39.0 From e09409714301455ba7bbed1d80a9c90c05257aaf Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 060/101] CVE-2020-25717: s3:ntlm_auth: start with +Subject: [PATCH 060/142] CVE-2020-25717: s3:ntlm_auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -4968,13 +4968,13 @@ index 41591a8de33..fc0fc19bacb 100644 uchar lm_key[16]; static const uchar zeros[8] = { 0, }; -- -2.37.2 +2.39.0 From 26570ee2e981cc5d44eeeed020a051a4771470fe Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 061/101] CVE-2020-25717: s3:torture: start with authoritative +Subject: [PATCH 061/142] CVE-2020-25717: s3:torture: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5005,13 +5005,13 @@ index 64bc45e6a7c..48190e78bf8 100644 SMBOWFencrypt(pdb_get_nt_passwd(pdb_entry), challenge_8, local_nt_response); -- -2.37.2 +2.39.0 From 36af26aac042ce48ae912d0ab7ce398280d81c93 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 062/101] CVE-2020-25717: s3:rpcclient: start with +Subject: [PATCH 062/142] CVE-2020-25717: s3:rpcclient: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5038,13 +5038,13 @@ index 631740562c6..30fa1ed7816 100644 uint16_t validation_level; union netr_Validation *validation = NULL; -- -2.37.2 +2.39.0 From 8eec50d65a10baa4e282c4a833c3cb202cd33255 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 063/101] CVE-2020-25717: s3:auth: start with authoritative = 1 +Subject: [PATCH 063/142] CVE-2020-25717: s3:auth: start with authoritative = 1 This is not strictly needed, but makes it easier to audit that we don't miss important places. @@ -5088,13 +5088,13 @@ index a71c75631d7..bf7ccb4348c 100644 nt_status = make_auth4_context_s4(auth_context, mem_ctx, &auth4_context); if (!NT_STATUS_IS_OK(nt_status)) { -- -2.37.2 +2.39.0 From 46bc67c24c83940ef56cfa5dbbdb8544c290f200 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 26 Oct 2021 17:42:41 +0200 -Subject: [PATCH 064/101] CVE-2020-25717: auth/ntlmssp: start with +Subject: [PATCH 064/142] CVE-2020-25717: auth/ntlmssp: start with authoritative = 1 This is not strictly needed, but makes it easier to audit @@ -5121,13 +5121,13 @@ index 140e89daeb1..eebada670be 100644 status = auth_context->check_ntlm_password_recv(subreq, -- -2.37.2 +2.39.0 From 986642f066c3fdf187a8799898196a23cb9d532c Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:43:40 +0200 -Subject: [PATCH 065/101] CVE-2020-25717: loadparm: Add new parameter "min +Subject: [PATCH 065/142] CVE-2020-25717: loadparm: Add new parameter "min domain uid" BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -5220,13 +5220,13 @@ index 0db44e92d19..57d1d909099 100644 apply_lp_set_cmdline(); } -- -2.37.2 +2.39.0 From 16fa6601a3517c723e90dfb8b1a086df2616e668 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 19:57:18 +0200 -Subject: [PATCH 066/101] CVE-2020-25717: s3:auth: let +Subject: [PATCH 066/142] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() forward the low level errors Mapping everything to ACCESS_DENIED makes it hard to debug problems, @@ -5254,13 +5254,13 @@ index 4ef2270cb34..26a38f92b30 100644 } -- -2.37.2 +2.39.0 From 10a4bdbe4a16fec1bd9b212736a9d26500e0981e Mon Sep 17 00:00:00 2001 From: Samuel Cabrero Date: Tue, 28 Sep 2021 10:45:11 +0200 -Subject: [PATCH 067/101] CVE-2020-25717: s3:auth: Check minimum domain uid +Subject: [PATCH 067/142] CVE-2020-25717: s3:auth: Check minimum domain uid BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14556 @@ -5301,13 +5301,13 @@ index 8ff20c33759..8801d3f0f0b 100644 result = make_server_info(tmp_ctx); -- -2.37.2 +2.39.0 From 58bea3837cfbeba5cd5c56060a42117fffedbda4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:40:30 +0200 -Subject: [PATCH 068/101] CVE-2020-25717: s3:auth: we should not try to +Subject: [PATCH 068/142] CVE-2020-25717: s3:auth: we should not try to autocreate the guest account We should avoid autocreation of users as much as possible. @@ -5334,13 +5334,13 @@ index 8998f9c8f8a..074e8c7eb71 100644 /* extra sanity check that the guest account is valid */ -- -2.37.2 +2.39.0 From e78afbcff415d78cb29b65204fefeb0355d6651e Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:08:20 +0200 -Subject: [PATCH 069/101] CVE-2020-25717: s3:auth: no longer let +Subject: [PATCH 069/142] CVE-2020-25717: s3:auth: no longer let check_account() autocreate local users So far we autocreated local user accounts based on just the @@ -5373,13 +5373,13 @@ index 8801d3f0f0b..6ee500493e6 100644 DEBUG(3, ("Failed to find authenticated user %s via " "getpwnam(), denying access.\n", dom_user)); -- -2.37.2 +2.39.0 From a3ffab81c235aae479262cca73cf4361f76f7f9d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 8 Oct 2021 12:33:16 +0200 -Subject: [PATCH 070/101] CVE-2020-25717: s3:auth: remove fallbacks in +Subject: [PATCH 070/142] CVE-2020-25717: s3:auth: remove fallbacks in smb_getpwnam() So far we tried getpwnam("DOMAIN\account") first and @@ -5517,13 +5517,13 @@ index 6ee500493e6..161e05c2106 100644 /* Create local user if requested but only if winbindd -- -2.37.2 +2.39.0 From 9a1bb168388205f5a2bfa459a5da63c5046eaa7a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 18:03:55 +0200 -Subject: [PATCH 071/101] CVE-2020-25717: s3:auth: don't let create_local_token +Subject: [PATCH 071/142] CVE-2020-25717: s3:auth: don't let create_local_token depend on !winbind_ping() We always require a running winbindd on a domain member, so @@ -5562,13 +5562,13 @@ index 161e05c2106..c0e5cfd7fa8 100644 status = create_token_from_username(session_info, server_info->unix_name, -- -2.37.2 +2.39.0 From bbe5c6693ba6954dab5bfef9f8c3778164cd879e Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Wed, 11 Nov 2020 18:50:45 +0200 -Subject: [PATCH 072/101] CVE-2020-25717: Add FreeIPA domain controller role +Subject: [PATCH 072/142] CVE-2020-25717: Add FreeIPA domain controller role As we want to reduce use of 'classic domain controller' role but FreeIPA relies on it internally, add a separate role to mark FreeIPA domain @@ -5975,13 +5975,13 @@ index 51fed4da62b..1f09b721408 100644 return NT_STATUS_INTERNAL_ERROR; case ROLE_DOMAIN_MEMBER: -- -2.37.2 +2.39.0 From 3a8b4d3b410508dfb0538376046a5b38c53f9568 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:11:57 +0200 -Subject: [PATCH 073/101] CVE-2020-25717: auth/gensec: always require a PAC in +Subject: [PATCH 073/142] CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or member) AD domains always provide a PAC unless UF_NO_AUTH_DATA_REQUIRED is set @@ -6045,13 +6045,13 @@ index e185acc0c20..694661b53b5 100644 DBG_NOTICE("Unable to find PAC for %s, resorting to local " "user lookup\n", principal_string); -- -2.37.2 +2.39.0 From 15cca0f7ee6f4b8d96b6b650b2d009b030a2bc5f Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 11 Oct 2021 23:17:19 +0200 -Subject: [PATCH 074/101] CVE-2020-25717: s4:auth: remove unused +Subject: [PATCH 074/142] CVE-2020-25717: s4:auth: remove unused auth_generate_session_info_principal() We'll require a PAC at the main gensec layer already. @@ -6189,13 +6189,13 @@ index fb88cb87f66..a8c7d8b4b85 100644 _PUBLIC_ NTSTATUS auth4_sam_init(TALLOC_CTX *); -- -2.37.2 +2.39.0 From ec14a33f17e638870c997b56d4b5ce9096cbb27a Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:27:28 +0200 -Subject: [PATCH 075/101] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in +Subject: [PATCH 075/142] CVE-2020-25717: s3:ntlm_auth: fix memory leaks in ntlm_auth_generate_session_info_pac() BUG: https://bugzilla.samba.org/show_bug.cgi?id=14801 @@ -6263,13 +6263,13 @@ index 3f70732a837..fefdd32bf11 100644 DEBUG(10, ("Domain is [%s] (using Winbind)\n", domain)); } -- -2.37.2 +2.39.0 From 9e036a77eca721c4ea23c3f629d9e504d5780f79 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 21 Sep 2021 12:44:01 +0200 -Subject: [PATCH 076/101] CVE-2020-25717: s3:ntlm_auth: let +Subject: [PATCH 076/142] CVE-2020-25717: s3:ntlm_auth: let ntlm_auth_generate_session_info_pac() base the name on the PAC LOGON_INFO only @@ -6405,13 +6405,13 @@ index fefdd32bf11..ff2fd30a9ae 100644 if (!unixuser) { status = NT_STATUS_NO_MEMORY; -- -2.37.2 +2.39.0 From 4c01fd62e30b8e1137e7de01ecb41c94550dac24 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Mon, 4 Oct 2021 19:42:20 +0200 -Subject: [PATCH 077/101] CVE-2020-25717: s3:auth: let +Subject: [PATCH 077/142] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() delegate everything to make_server_info_wbcAuthUserInfo() @@ -6726,13 +6726,13 @@ index 26a38f92b30..3099e8f9057 100644 status = NT_STATUS_OK; -- -2.37.2 +2.39.0 From 2d7cd152d95e091447731b3699be9654ca13cffc Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 17:14:01 +0200 -Subject: [PATCH 078/101] CVE-2020-25717: selftest: configure 'ktest' env with +Subject: [PATCH 078/142] CVE-2020-25717: selftest: configure 'ktest' env with winbindd and idmap_autorid The 'ktest' environment was/is designed to test kerberos in an active @@ -6777,13 +6777,13 @@ index bbbefea44b7..7034127ef0b 100755 } return $ret; -- -2.37.2 +2.39.0 From 6b4c3693d4ae3c54fd4c890b71829ac582436dee Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Tue, 5 Oct 2021 18:12:49 +0200 -Subject: [PATCH 079/101] CVE-2020-25717: s3:auth: let +Subject: [PATCH 079/142] CVE-2020-25717: s3:auth: let auth3_generate_session_info_pac() reject a PAC in standalone mode We should be strict in standalone mode, that we only support MIT realms @@ -6862,13 +6862,13 @@ index 3099e8f9057..23f746c078e 100644 if (!NT_STATUS_IS_OK(status)) { DEBUG(1, ("Failed to map kerberos pac to server info (%s)\n", -- -2.37.2 +2.39.0 From 6f6a1fedb97d119a7f15831f7295b1774e806ba8 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 17:59:59 +0200 -Subject: [PATCH 080/101] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 080/142] CVE-2020-25717: s3:auth: simplify get_user_from_kerberos_info() by removing the unused logon_info argument This code is only every called in standalone mode on a MIT realm, @@ -7012,13 +7012,13 @@ index 074e8c7eb71..7b69ca6c222 100644 bool *mapped_to_guest, char **ntuser, -- -2.37.2 +2.39.0 From 8fd8d952c4396484f822c51f71667baaf49402b4 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 8 Oct 2021 18:03:04 +0200 -Subject: [PATCH 081/101] CVE-2020-25717: s3:auth: simplify +Subject: [PATCH 081/142] CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments This is only ever be called in standalone mode with an MIT realm, @@ -7115,13 +7115,13 @@ index 7b69ca6c222..b8f37cbeee0 100644 { return NT_STATUS_NOT_IMPLEMENTED; -- -2.37.2 +2.39.0 From bf0696ec4f3080ebd0b61cac5a05a9284ccabda8 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:39:19 +1200 -Subject: [PATCH 082/101] krb5pac.idl: Add ticket checksum PAC buffer type +Subject: [PATCH 082/142] krb5pac.idl: Add ticket checksum PAC buffer type Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7155,13 +7155,13 @@ index f27e7243ee4..711b7f94b6c 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.37.2 +2.39.0 From 7a9f618fdbf32872594f47dd4bc83ce087af4bbc Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 1 Sep 2021 15:40:59 +1200 -Subject: [PATCH 083/101] security.idl: Add well-known SIDs for FAST +Subject: [PATCH 083/142] security.idl: Add well-known SIDs for FAST Signed-off-by: Joseph Sutton Reviewed-by: Andrew Bartlett @@ -7187,13 +7187,13 @@ index 5930f448955..e6065a35691 100644 * http://technet.microsoft.com/en-us/library/hh509017(v=ws.10).aspx */ -- -2.37.2 +2.39.0 From 7713b56a8a8b26e05aa9a517348e3f95da1144a7 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Wed, 29 Sep 2021 16:15:26 +1300 -Subject: [PATCH 084/101] krb5pac.idl: Add missing buffer type values +Subject: [PATCH 084/142] krb5pac.idl: Add missing buffer type values BUG: https://bugzilla.samba.org/show_bug.cgi?id=14642 @@ -7219,13 +7219,13 @@ index 711b7f94b6c..141894ec5f1 100644 } PAC_TYPE; -- -2.37.2 +2.39.0 From a85bf1d86d6e081c781cc93a8e7aaa049c3818d0 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:38 +1300 -Subject: [PATCH 085/101] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO +Subject: [PATCH 085/142] CVE-2020-25719 krb5pac.idl: Add PAC_ATTRIBUTES_INFO PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7276,13 +7276,13 @@ index 141894ec5f1..4bfec2de5e6 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.37.2 +2.39.0 From 57e4c415ecae66ee984a30eb66d5d248e0e8587d Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Tue, 26 Oct 2021 20:33:49 +1300 -Subject: [PATCH 086/101] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC +Subject: [PATCH 086/142] CVE-2020-25719 krb5pac.idl: Add PAC_REQUESTER_SID PAC buffer type BUG: https://bugzilla.samba.org/show_bug.cgi?id=14561 @@ -7327,13 +7327,13 @@ index 4bfec2de5e6..f750359a069 100644 in such a way that they are backwards compatible with existing servers. This makes it safe to just use a [default] for -- -2.37.2 +2.39.0 From 7782a97868ead29b6e87fa98dcef8dbc2706b67d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 27 Sep 2021 11:20:19 +1300 -Subject: [PATCH 087/101] CVE-2020-25721 krb5pac: Add new buffers for +Subject: [PATCH 087/142] CVE-2020-25721 krb5pac: Add new buffers for samAccountName and objectSID These appear when PAC_UPN_DNS_FLAG_HAS_SAM_NAME_AND_SID is set. @@ -7414,13 +7414,13 @@ index a9ae2c4a789..57b28df9e52 100644 NDR_CHECK(ndr_push_subcontext_start(_ndr_info_pad, &_ndr_info, 0, _ndr_size)); NDR_CHECK(ndr_push_set_switch_value(_ndr_info, r->info, r->type)); -- -2.37.2 +2.39.0 From 44e8dd1a9a3c02dee31497fe20411758fce1acf9 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Fri, 12 Nov 2021 19:06:01 +0200 -Subject: [PATCH 088/101] IPA DC: add missing checks +Subject: [PATCH 088/142] IPA DC: add missing checks When introducing FreeIPA support, two places were forgotten: @@ -7466,13 +7466,13 @@ index 57bfc596005..3f77856457e 100644 sid = dom_sid_dup(p->mem_ctx, get_global_sam_sid()); if (!sid) { -- -2.37.2 +2.39.0 From c64bcd68614871cdddc9fe37c860729f490b4da1 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 12 Nov 2021 15:27:58 +0100 -Subject: [PATCH 089/101] CVE-2020-25717: idmap_nss: verify that the name of +Subject: [PATCH 089/142] CVE-2020-25717: idmap_nss: verify that the name of the sid belongs to the configured domain We already check the sid belongs to the domain, but checking the name @@ -7558,13 +7558,13 @@ index 3fe98cbc729..243b67ccafd 100644 } return NT_STATUS_OK; -- -2.37.2 +2.39.0 From c7d277ef2c902482eca00fc981bf340a088fbfe1 Mon Sep 17 00:00:00 2001 From: Joseph Sutton Date: Fri, 12 Nov 2021 20:53:30 +1300 -Subject: [PATCH 090/101] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non +Subject: [PATCH 090/142] CVE-2020-25717: nsswitch/nsstest.c: Lower 'non existent uid' to make room for new accounts BUG: https://bugzilla.samba.org/show_bug.cgi?id=14901 @@ -7591,13 +7591,13 @@ index 46f96795f39..8ce7493d1b6 100644 total_errors++; printf("ERROR Non existent uid gave error %d\n", last_error); -- -2.37.2 +2.39.0 From 0ff9bba35a043267a2781c294f5832378cd6da54 Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Fri, 12 Nov 2021 16:10:31 +1300 -Subject: [PATCH 091/101] CVE-2020-25717: s3:auth: Fallback to a SID/UID based +Subject: [PATCH 091/142] CVE-2020-25717: s3:auth: Fallback to a SID/UID based mapping if the named based lookup fails MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -7707,13 +7707,13 @@ index c0e5cfd7fa8..b463059f259 100644 &pwd, &username_was_mapped); -- -2.37.2 +2.39.0 From f035c041e42594bacfe7c3f4e5ea5d05399e1c5a Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 10:57:17 +0100 -Subject: [PATCH 092/101] CVE-2020-25717: s3-auth: fix MIT Realm regression +Subject: [PATCH 092/142] CVE-2020-25717: s3-auth: fix MIT Realm regression This looks like a regression introduced by the recent security fixes. This commit should hopefully fixes it. @@ -7770,13 +7770,13 @@ index b8f37cbeee0..169bf563368 100644 if (!unixuser) { return NT_STATUS_NO_MEMORY; -- -2.37.2 +2.39.0 From 8b8d1b20b16381c305c23ce03a559b8c7de67f5d Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 16:48:01 +0100 -Subject: [PATCH 093/101] CVE-2021-44142: libadouble: add defines for icon +Subject: [PATCH 093/142] CVE-2021-44142: libadouble: add defines for icon lengths From https://www.ietf.org/rfc/rfc1740.txt @@ -7802,13 +7802,13 @@ index afad70ce180..3a35620bfe4 100644 #define ADEDLEN_PRIVDEV 8 #define ADEDLEN_PRIVINO 8 -- -2.37.2 +2.39.0 From 3f2e9a6de36c086cff0bb3296f00c85a37a2653c Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Sat, 20 Nov 2021 16:36:42 +0100 -Subject: [PATCH 094/101] CVE-2021-44142: smbd: add Netatalk xattr used by +Subject: [PATCH 094/142] CVE-2021-44142: smbd: add Netatalk xattr used by vfs_fruit to the list of private Samba xattrs This is an internal xattr that should not be user visible. @@ -7851,13 +7851,13 @@ index f8d987bbe63..406087c0419 100644 }; -- -2.37.2 +2.39.0 From 00287584703e9e91e804e0f182bd844b7c436716 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Fri, 26 Nov 2021 07:19:32 +0100 -Subject: [PATCH 095/101] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() +Subject: [PATCH 095/142] CVE-2021-44142: libadouble: harden ad_unpack_xattrs() This ensures ad_unpack_xattrs() is only called for an ad_type of ADOUBLE_RSRC, which is used for parsing ._ AppleDouble sidecar files, and the buffer @@ -7921,13 +7921,13 @@ index 3a35620bfe4..76139e51047 100644 } -- -2.37.2 +2.39.0 From 94141fa38e082e4ab50be6c2f79c8506e72bc274 Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 25 Nov 2021 15:04:03 +0100 -Subject: [PATCH 096/101] CVE-2021-44142: libadouble: add basic cmocka tests +Subject: [PATCH 096/142] CVE-2021-44142: libadouble: add basic cmocka tests BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8377,13 +8377,13 @@ index 26e251f442a..5230ae32934 100644 source='smbd/server.c smbd/smbd_cleanupd.c', deps=''' -- -2.37.2 +2.39.0 From 5c1c2ea3dbe554f621014bb2b3133c0859dce2da Mon Sep 17 00:00:00 2001 From: Ralph Boehme Date: Thu, 13 Jan 2022 17:03:02 +0100 -Subject: [PATCH 097/101] CVE-2021-44142: libadouble: harden parsing code +Subject: [PATCH 097/142] CVE-2021-44142: libadouble: harden parsing code BUG: https://bugzilla.samba.org/show_bug.cgi?id=14914 @@ -8545,13 +8545,13 @@ index 76139e51047..17e97d15bdb 100644 } -- -2.37.2 +2.39.0 From 2c1f15a39367493733e4d275c3709a6497225917 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 15:48:29 -0700 -Subject: [PATCH 098/101] winbind: Only use unixid2sid mapping when module +Subject: [PATCH 098/142] winbind: Only use unixid2sid mapping when module reports ID_MAPPED Only consider a mapping to be valid when the idmap module reports @@ -8585,13 +8585,13 @@ index 0842241e02e..94331163006 100644 TALLOC_FREE(maps); -- -2.37.2 +2.39.0 From 754ece447c2dea8cccbe8740df5aff75dca7b646 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:01:13 -0700 -Subject: [PATCH 099/101] idmap_rfc2307: Do not return SID from unixids_to_sids +Subject: [PATCH 099/142] idmap_rfc2307: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map @@ -8654,13 +8654,13 @@ index 94331163006..34375b3858f 100644 } -- -2.37.2 +2.39.0 From f831d80dde35ba0e29014a9e4f34cb3ce6eb6161 Mon Sep 17 00:00:00 2001 From: Christof Schmitt Date: Fri, 5 Mar 2021 16:07:54 -0700 -Subject: [PATCH 100/101] idmap_nss: Do not return SID from unixids_to_sids on +Subject: [PATCH 100/142] idmap_nss: Do not return SID from unixids_to_sids on type mismatch The call to winbind_lookup_name already wrote the result in the id_map @@ -8722,13 +8722,13 @@ index 243b67ccafd..e4bf1923786 100644 } break; -- -2.37.2 +2.39.0 From 4ef3d95fb680cf278e68b6794459ff7bce1489aa Mon Sep 17 00:00:00 2001 From: Andreas Schneider Date: Tue, 23 Nov 2021 15:48:57 +0100 -Subject: [PATCH 101/101] s3:winbind: Fix possible NULL pointer dereference +Subject: [PATCH 101/142] s3:winbind: Fix possible NULL pointer dereference BUG: https://bugzilla.redhat.com/show_bug.cgi?id=2019888 @@ -8758,5 +8758,5793 @@ index 04e79e70f6b..d1bd81b2372 100644 TALLOC_FREE(tmp_user); return NULL; -- -2.37.2 +2.39.0 + + +From 95c9485bb600e965f24712534850d1a7fd325c44 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 6 Dec 2022 16:00:36 +0100 +Subject: [PATCH 102/142] CVE-2022-38023 docs-xml: improve wording for several + options: "takes precedence" -> "overrides" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9) +--- + docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +- + docs-xml/smbdotconf/security/serverschannel.xml | 2 +- + docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +- + docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- + 4 files changed, 4 insertions(+), 4 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index 41684ef1080..0bb9f6f6c8e 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -10,7 +10,7 @@ + You can set this to yes if all domain members support aes. + This will prevent downgrade attacks. + +- This option takes precedence to the 'allow nt4 crypto' option. ++ This option overrides the 'allow nt4 crypto' option. + + + no +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index b682d086f76..79e4e73a95c 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -59,7 +59,7 @@ + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + + +- This option takes precedence to the option. ++ This option overrides the option. + + + server require schannel:LEGACYCOMPUTER1$ = no +diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +index 37656293aa4..151b4676c57 100644 +--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml ++++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +@@ -15,7 +15,7 @@ + The behavior can be controlled per netbios domain + by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. + +- This option takes precedence to the option. ++ This option overrides the option. + + + no +diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +index 4db62bfb02d..b17620ec8f1 100644 +--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml ++++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +@@ -19,7 +19,7 @@ + + This option yields precedence to the option. + +- This option takes precedence to the option. ++ This option overrides the option. + + + yes +-- +2.39.0 + + +From d6ab8377e55e4bda76c86de9bba1ddee30361481 Mon Sep 17 00:00:00 2001 +From: Ralph Boehme +Date: Tue, 6 Dec 2022 16:05:26 +0100 +Subject: [PATCH 103/142] CVE-2022-38023 docs-xml: improve wording for several + options: "yields precedence" -> "is over-riden" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Ralph Boehme +Reviewed-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +- + docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +- + docs-xml/smbdotconf/security/clientschannel.xml | 2 +- + docs-xml/smbdotconf/security/serverschannel.xml | 2 +- + docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- + 5 files changed, 5 insertions(+), 5 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index 03dc8fa93f7..06afcef73b1 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -18,7 +18,7 @@ + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + +- This option yields precedence to the 'reject md5 clients' option. ++ This option is over-ridden by the 'reject md5 clients' option. + + + no +diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +index 03531adbfb3..8bccab391cc 100644 +--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml ++++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml +@@ -15,7 +15,7 @@ + The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, + winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option. + +- This option yields precedence to the implementation specific restrictions. ++ This option is over-ridden by the implementation specific restrictions. + E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. + The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. + +diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml +index 5b07da95050..d124ad48181 100644 +--- a/docs-xml/smbdotconf/security/clientschannel.xml ++++ b/docs-xml/smbdotconf/security/clientschannel.xml +@@ -23,7 +23,7 @@ + Note that for active directory domains this is hardcoded to + yes. + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + yes + auto +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index 79e4e73a95c..3e66df1c203 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -23,7 +23,7 @@ + If you still have legacy domain members use the option. + + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + + +diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +index b17620ec8f1..9c1c1d7af14 100644 +--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml ++++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml +@@ -17,7 +17,7 @@ + + Note for active directory domain this option is hardcoded to 'yes' + +- This option yields precedence to the option. ++ This option is over-ridden by the option. + + This option overrides the option. + +-- +2.39.0 + + +From 976080e72039b68ab66b757f1c3cb258eaca23df Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:46:59 +0100 +Subject: [PATCH 104/142] CVE-2022-38023 libcli/auth: pass lp_ctx to + netlogon_creds_cli_set_global_db() + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209) +--- + libcli/auth/netlogon_creds_cli.c | 3 ++- + libcli/auth/netlogon_creds_cli.h | 2 +- + source3/rpc_client/cli_netlogon.c | 2 +- + source3/utils/destroy_netlogon_creds_cli.c | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index 0f6ca11ff96..c9873a5748e 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -201,7 +201,8 @@ static NTSTATUS netlogon_creds_cli_context_common( + + static struct db_context *netlogon_creds_cli_global_db; + +-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db) ++NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, ++ struct db_context **db) + { + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; +diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h +index 56a2dd9bc77..2ce5de9d305 100644 +--- a/libcli/auth/netlogon_creds_cli.h ++++ b/libcli/auth/netlogon_creds_cli.h +@@ -31,7 +31,7 @@ struct messaging_context; + struct dcerpc_binding_handle; + struct db_context; + +-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db); ++NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db); + NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); + void netlogon_creds_cli_close_global_db(void); + +diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c +index f073f0d925e..b784064f17e 100644 +--- a/source3/rpc_client/cli_netlogon.c ++++ b/source3/rpc_client/cli_netlogon.c +@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void) + return NT_STATUS_NO_MEMORY; + } + +- status = netlogon_creds_cli_set_global_db(&global_db); ++ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); + TALLOC_FREE(frame); + if (!NT_STATUS_IS_OK(status)) { + return status; +diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c +index 137ac8393e7..95a650f4654 100644 +--- a/source3/utils/destroy_netlogon_creds_cli.c ++++ b/source3/utils/destroy_netlogon_creds_cli.c +@@ -83,7 +83,7 @@ int main(int argc, const char *argv[]) + goto done; + } + +- status = netlogon_creds_cli_set_global_db(&global_db); ++ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); + if (!NT_STATUS_IS_OK(status)) { + fprintf(stderr, + "netlogon_creds_cli_set_global_db failed: %s\n", +-- +2.39.0 + + +From dfe17c3453980d53445a2cc6221cb8728fc9e3cf Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:47:33 +0100 +Subject: [PATCH 105/142] CVE-2022-38023 libcli/auth: add/use + netlogon_creds_cli_warn_options() + +This warns the admin about insecure options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme + +(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800) +[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to + getpid()] +--- + libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++ + libcli/auth/netlogon_creds_cli.h | 2 + + 2 files changed, 68 insertions(+) + +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index c9873a5748e..20a3da5060f 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db; + NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, + struct db_context **db) + { ++ netlogon_creds_cli_warn_options(lp_ctx); ++ + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_INVALID_PARAMETER_MIX; + } +@@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx) + struct db_context *global_db; + int hash_size, tdb_flags; + ++ netlogon_creds_cli_warn_options(lp_ctx); ++ + if (netlogon_creds_cli_global_db != NULL) { + return NT_STATUS_OK; + } +@@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void) + TALLOC_FREE(netlogon_creds_cli_global_db); + } + ++void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) ++{ ++ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx); ++ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); ++ int global_client_schannel = lpcfg_client_schannel(lp_ctx); ++ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); ++ static bool warned_global_reject_md5_servers = false; ++ static bool warned_global_require_strong_key = false; ++ static bool warned_global_client_schannel = false; ++ static bool warned_global_seal_secure_channel = false; ++ static int warned_global_pid = 0; ++ int current_pid = getpid(); ++ ++ if (warned_global_pid != current_pid) { ++ warned_global_reject_md5_servers = false; ++ warned_global_require_strong_key = false; ++ warned_global_client_schannel = false; ++ warned_global_seal_secure_channel = false; ++ warned_global_pid = current_pid; ++ } ++ ++ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'reject md5 servers = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_reject_md5_servers = true; ++ } ++ ++ if (!global_require_strong_key && !warned_global_require_strong_key) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'require strong key = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_require_strong_key = true; ++ } ++ ++ if (global_client_schannel != true && !warned_global_client_schannel) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'client schannel = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_client_schannel = true; ++ } ++ ++ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'winbind sealed pipes = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_secure_channel = true; ++ } ++} ++ + NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + struct messaging_context *msg_ctx, + const char *client_account, +diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h +index 2ce5de9d305..e4e0232e92f 100644 +--- a/libcli/auth/netlogon_creds_cli.h ++++ b/libcli/auth/netlogon_creds_cli.h +@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc + NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); + void netlogon_creds_cli_close_global_db(void); + ++void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx); ++ + NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + struct messaging_context *msg_ctx, + const char *client_account, +-- +2.39.0 + + +From 75c44fdccf18bfa34530f05937e8e3305b2c927e Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 16:16:05 +0100 +Subject: [PATCH 106/142] CVE-2022-38023 s3:net: add and use + net_warn_member_options() helper + +This makes sure domain member related 'net' commands print warnings +about unsecure smb.conf options. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a) +--- + source3/utils/net.c | 6 ++++++ + source3/utils/net_ads.c | 14 ++++++++++++++ + source3/utils/net_dom.c | 2 ++ + source3/utils/net_join.c | 2 ++ + source3/utils/net_proto.h | 2 ++ + source3/utils/net_rpc.c | 10 ++++++++++ + source3/utils/net_util.c | 15 +++++++++++++++ + 7 files changed, 51 insertions(+) + +diff --git a/source3/utils/net.c b/source3/utils/net.c +index 8350e8c0967..c17dd972c3f 100644 +--- a/source3/utils/net.c ++++ b/source3/utils/net.c +@@ -83,6 +83,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param) + + static int net_changetrustpw(struct net_context *c, int argc, const char **argv) + { ++ net_warn_member_options(); ++ + if (net_ads_check_our_domain(c) == 0) + return net_ads_changetrustpw(c, argc, argv); + +@@ -110,6 +112,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc, + return 1; + } + ++ net_warn_member_options(); ++ + if (c->opt_stdin) { + set_line_buffering(stdin); + set_line_buffering(stdout); +@@ -185,6 +189,8 @@ static int net_changesecretpw(struct net_context *c, int argc, + return 1; + } + ++ net_warn_member_options(); ++ + if(c->opt_force) { + struct secrets_domain_info1 *info = NULL; + struct secrets_domain_info1_change *prev = NULL; +diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c +index 3cf8fbbf7c8..32a7b2d7f7f 100644 +--- a/source3/utils/net_ads.c ++++ b/source3/utils/net_ads.c +@@ -1290,6 +1290,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { + return -1; + } +@@ -1431,6 +1433,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) + return NT_STATUS_ACCESS_DENIED; + } + ++ net_warn_member_options(); ++ + net_use_krb_machine_account(c); + + get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); +@@ -1461,6 +1465,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + /* Display success or failure */ + status = net_ads_join_ok(c); + if (!NT_STATUS_IS_OK(status)) { +@@ -1846,6 +1852,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) + if (c->display_usage) + return net_ads_join_usage(c, argc, argv); + ++ net_warn_member_options(); ++ + if (!modify_config) { + + werr = check_ads_config(); +@@ -2732,6 +2740,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) + return -1; + } + ++ net_warn_member_options(); ++ + net_use_krb_machine_account(c); + + use_in_memory_ccache(); +@@ -3001,6 +3011,8 @@ static int net_ads_keytab_add(struct net_context *c, + return 0; + } + ++ net_warn_member_options(); ++ + d_printf(_("Processing principals to add...\n")); + if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { + return -1; +@@ -3040,6 +3052,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a + return 0; + } + ++ net_warn_member_options(); ++ + if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { + return -1; + } +diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c +index 1e45c59220c..db6e34e52de 100644 +--- a/source3/utils/net_dom.c ++++ b/source3/utils/net_dom.c +@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv) + return net_dom_usage(c, argc, argv); + } + ++ net_warn_member_options(); ++ + if (c->opt_host) { + server_name = c->opt_host; + } +diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c +index 1493dff74d7..f67f08f79a8 100644 +--- a/source3/utils/net_join.c ++++ b/source3/utils/net_join.c +@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + if (net_ads_check_our_domain(c) == 0) { + if (net_ads_join(c, argc, argv) == 0) + return 0; +diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h +index 22fe39e0f1c..38581a796cb 100644 +--- a/source3/utils/net_proto.h ++++ b/source3/utils/net_proto.h +@@ -423,6 +423,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv, + const char *whoami, struct functable *table); + void net_display_usage_from_functable(struct functable *table); + ++void net_warn_member_options(void); ++ + const char *net_share_type_str(int num_type); + + NTSTATUS net_scan_dc(struct net_context *c, +diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c +index f2d63d2af65..52c2ec37a89 100644 +--- a/source3/utils/net_rpc.c ++++ b/source3/utils/net_rpc.c +@@ -370,6 +370,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_oldjoin"); + if (!mem_ctx) { + return -1; +@@ -489,6 +491,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_testjoin"); + if (!mem_ctx) { + return -1; +@@ -563,6 +567,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a + return 0; + } + ++ net_warn_member_options(); ++ + mem_ctx = talloc_init("net_rpc_join_newstyle"); + if (!mem_ctx) { + return -1; +@@ -684,6 +690,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv) + return -1; + } + ++ net_warn_member_options(); ++ + if (strlen(lp_netbios_name()) > 15) { + d_printf(_("Our netbios name can be at most 15 chars long, " + "\"%s\" is %u chars long\n"), +@@ -814,6 +822,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv) + return 0; + } + ++ net_warn_member_options(); ++ + return run_rpc_command(c, NULL, &ndr_table_samr, + NET_FLAGS_PDC, rpc_info_internals, + argc, argv); +diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c +index a84b4f5500e..94a8dc9defe 100644 +--- a/source3/utils/net_util.c ++++ b/source3/utils/net_util.c +@@ -29,6 +29,8 @@ + #include "secrets.h" + #include "../libcli/security/security.h" + #include "libsmb/libsmb.h" ++#include "libcli/auth/netlogon_creds_cli.h" ++#include "lib/param/param.h" + + NTSTATUS net_rpc_lookup_name(struct net_context *c, + TALLOC_CTX *mem_ctx, struct cli_state *cli, +@@ -534,6 +536,19 @@ void net_display_usage_from_functable(struct functable *table) + } + } + ++void net_warn_member_options(void) ++{ ++ TALLOC_CTX *frame = talloc_stackframe(); ++ struct loadparm_context *lp_ctx = NULL; ++ ++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); ++ if (lp_ctx != NULL) { ++ netlogon_creds_cli_warn_options(lp_ctx); ++ } ++ ++ TALLOC_FREE(frame); ++} ++ + const char *net_share_type_str(int num_type) + { + switch(num_type) { +-- +2.39.0 + + +From 9d7eba489e7f798dd3115439da1bc92a87059ce1 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:59:36 +0100 +Subject: [PATCH 107/142] CVE-2022-38023 s3:winbindd: also allow per domain + "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" + +This avoids advising insecure defaults for the global options. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) +--- + source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++------- + 1 file changed, 33 insertions(+), 8 deletions(-) + +diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c +index 502331f7260..1a8017cf4cc 100644 +--- a/source3/winbindd/winbindd_cm.c ++++ b/source3/winbindd/winbindd_cm.c +@@ -2734,6 +2734,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + struct netlogon_creds_cli_context *p_creds; + struct cli_credentials *creds = NULL; + bool retry = false; /* allow one retry attempt for expired session */ ++ bool sealed_pipes = true; ++ bool strong_key = true; + + if (sid_check_is_our_sam(&domain->sid)) { + if (domain->rodc == false || need_rw_dc == false) { +@@ -2907,14 +2909,24 @@ retry: + + anonymous: + ++ sealed_pipes = lp_winbind_sealed_pipes(); ++ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", ++ domain->name, ++ sealed_pipes); ++ strong_key = lp_require_strong_key(); ++ strong_key = lp_parm_bool(-1, "require strong key", ++ domain->name, ++ strong_key); ++ + /* Finally fall back to anonymous. */ +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ if (sealed_pipes || strong_key) { + status = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make SAMR connection to domain %s " + "without connection level security, " +- "must set 'winbind sealed pipes = false' and " +- "'require strong key = false' to proceed: %s\n", +- domain->name, nt_errstr(status))); ++ "must set 'winbind sealed pipes:%s = false' and " ++ "'require strong key:%s = false' to proceed: %s\n", ++ domain->name, domain->name, domain->name, ++ nt_errstr(status))); + goto done; + } + status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, +@@ -3061,6 +3073,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, + struct netlogon_creds_cli_context *p_creds; + struct cli_credentials *creds = NULL; + bool retry = false; /* allow one retry attempt for expired session */ ++ bool sealed_pipes = true; ++ bool strong_key = true; + + retry: + result = init_dc_connection_rpc(domain, false); +@@ -3216,13 +3230,24 @@ retry: + goto done; + } + +- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { ++ sealed_pipes = lp_winbind_sealed_pipes(); ++ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", ++ domain->name, ++ sealed_pipes); ++ strong_key = lp_require_strong_key(); ++ strong_key = lp_parm_bool(-1, "require strong key", ++ domain->name, ++ strong_key); ++ ++ /* Finally fall back to anonymous. */ ++ if (sealed_pipes || strong_key) { + result = NT_STATUS_DOWNGRADE_DETECTED; + DEBUG(1, ("Unwilling to make LSA connection to domain %s " + "without connection level security, " +- "must set 'winbind sealed pipes = false' and " +- "'require strong key = false' to proceed: %s\n", +- domain->name, nt_errstr(result))); ++ "must set 'winbind sealed pipes:%s = false' and " ++ "'require strong key:%s = false' to proceed: %s\n", ++ domain->name, domain->name, domain->name, ++ nt_errstr(result))); + goto done; + } + +-- +2.39.0 + + +From b310b2672f80a717188675b6c762d184436a190c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2022 18:22:23 +0100 +Subject: [PATCH 108/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject + md5 servers' default to yes + +AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no +reason to allow md5 servers by default. + +Note the change in netlogon_creds_cli_context_global() is only cosmetic, +but avoids confusion while reading the code. Check with: + + git show -U35 libcli/auth/netlogon_creds_cli.c + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584) +--- + docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++-- + lib/param/loadparm.c | 1 + + libcli/auth/netlogon_creds_cli.c | 4 ++-- + source3/param/loadparm.c | 1 + + 4 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +index 151b4676c57..3bc4eaf7b02 100644 +--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml ++++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml +@@ -13,10 +13,13 @@ + This will prevent downgrade attacks. + + The behavior can be controlled per netbios domain +- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option. ++ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option. ++ ++ The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + This option overrides the option. + + +-no ++yes + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 4aa91f4d404..dc659a449ea 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2733,6 +2733,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "True"); + lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True"); + lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); + lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); + lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR); +diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c +index 20a3da5060f..0558cb237a4 100644 +--- a/libcli/auth/netlogon_creds_cli.c ++++ b/libcli/auth/netlogon_creds_cli.c +@@ -340,8 +340,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, + const char *client_computer; + uint32_t proposed_flags; + uint32_t required_flags = 0; +- bool reject_md5_servers = false; +- bool require_strong_key = false; ++ bool reject_md5_servers = true; ++ bool require_strong_key = true; + int require_sign_or_seal = true; + bool seal_secure_channel = true; + enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 98e05d13d59..fbc987e119a 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -657,6 +657,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.client_schannel = true; + Globals.winbind_sealed_pipes = true; + Globals.require_strong_key = true; ++ Globals.reject_md5_servers = true; + Globals.server_schannel = true; + Globals.read_raw = true; + Globals.write_raw = true; +-- +2.39.0 + + +From b62fb90dd434c99131086f27cb74cf2c109fb9d2 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 6 Dec 2022 10:56:29 +0100 +Subject: [PATCH 109/142] CVE-2022-38023 s4:rpc_server/netlogon: 'server + schannel != yes' warning to dcesrv_interface_netlogon_bind + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++-------- + 1 file changed, 15 insertions(+), 11 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 7668a9eb923..e7f8cd5c075 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -60,6 +60,21 @@ + static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, + const struct dcesrv_interface *iface) + { ++ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; ++ int schannel = lpcfg_server_schannel(lp_ctx); ++ bool schannel_global_required = (schannel == true); ++ static bool warned_global_schannel_once = false; ++ ++ if (!schannel_global_required && !warned_global_schannel_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2020-1472(ZeroLogon): " ++ "Please configure 'server schannel = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); ++ warned_global_schannel_once = true; ++ } ++ + return dcesrv_interface_bind_reject_connect(context, iface); + } + +@@ -629,7 +644,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; +- static bool warned_global_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -681,16 +695,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + return NT_STATUS_ACCESS_DENIED; + } + +- if (!schannel_global_required && !warned_global_once) { +- /* +- * We want admins to notice their misconfiguration! +- */ +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Please configure 'server schannel = yes', " +- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; +- } +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) WITH schannel from " +-- +2.39.0 + + +From dbddee016499bddab42870226eda0b19facca936 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2022 14:03:50 +0100 +Subject: [PATCH 110/142] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx + variable to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index e7f8cd5c075..bd3a36e60cc 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -635,8 +635,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) + { ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + NTSTATUS nt_status; +- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); ++ int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +@@ -652,7 +653,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + dcesrv_call_auth_info(dce_call, &auth_type, NULL); + + nt_status = schannel_check_creds_state(mem_ctx, +- dce_call->conn->dce_ctx->lp_ctx, ++ lp_ctx, + computer_name, + received_authenticator, + return_authenticator, +@@ -667,7 +668,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + * need the explicit_opt pointer in order to + * adjust the debug messages. + */ +- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, ++ explicit_opt = lpcfg_get_parametric(lp_ctx, + NULL, + "server require schannel", + creds->account_name); +-- +2.39.0 + + +From da1c4d9055c0b7fcb5e6952e3e63c7089b2b0432 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 12 Dec 2022 14:03:50 +0100 +Subject: [PATCH 111/142] CVE-2022-38023 s4:rpc_server/netlogon: add + talloc_stackframe() to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++-------- + 1 file changed, 19 insertions(+), 13 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index bd3a36e60cc..b842fa6a556 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -636,6 +636,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + struct netlogon_creds_CredentialState **creds_out) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS nt_status; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); +@@ -679,6 +680,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -686,13 +688,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return NT_STATUS_ACCESS_DENIED; + } + +@@ -701,13 +705,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -717,24 +722,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +-- +2.39.0 + + +From 01d4d64eaca505da9c542f2149c0bd362ad180d1 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:37:03 +0100 +Subject: [PATCH 112/142] CVE-2022-38023 s4:rpc_server/netlogon: re-order + checking in dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++---------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index b842fa6a556..9b3a933abca 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -677,13 +677,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + schannel_required = lp_bool(explicit_opt); + } + +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (!schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) WITH schannel from " ++ "client_account[%s] client_computer_name[%s]\n", ++ opname, opnum, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } ++ if (explicit_opt != NULL && !schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed!?\n", ++ log_escape(frame, creds->account_name)); + } + ++ *creds_out = creds; ++ TALLOC_FREE(frame); ++ return NT_STATUS_OK; ++ } ++ ++ if (schannel_required) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", +@@ -700,23 +714,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + return NT_STATUS_ACCESS_DENIED; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); +- +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; +- } +- +- + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " +-- +2.39.0 + + +From 90531a4cb89b0d390261de1920f17a8ea7a9cbcb Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:37:03 +0100 +Subject: [PATCH 113/142] CVE-2022-38023 s4:rpc_server/netlogon: improve + CVE-2020-1472(ZeroLogon) debug messages + +In order to avoid generating useless debug messages during make test, +we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' +and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. + +Review with: git show -w + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++----- + 1 file changed, 106 insertions(+), 41 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 9b3a933abca..8084061aabc 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -643,15 +643,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; + struct netlogon_creds_CredentialState *creds = NULL; ++ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ unsigned int dbg_lvl = DBGLVL_DEBUG; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; ++ const char *reason = ""; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ smb_panic("Schannel without SIGN/SEAL"); ++ } ++ } else { ++ reason = "WITHOUT"; ++ } + + nt_status = schannel_check_creds_state(mem_ctx, + lp_ctx, +@@ -678,62 +697,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (!schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); ++ nt_status = NT_STATUS_OK; ++ ++ if (explicit_opt != NULL && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ + if (explicit_opt != NULL && !schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return nt_status; + } + + if (schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name)); ++ nt_status = NT_STATUS_ACCESS_DENIED; ++ ++ if (explicit_opt != NULL) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ if (explicit_opt != NULL) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); +- return NT_STATUS_ACCESS_DENIED; ++ return nt_status; + } + ++ nt_status = NT_STATUS_OK; ++ + if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(nt_status))); ++ ++ if (explicit_opt != NULL) { ++ D_INFO("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server require schannel:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Please use 'server require schannel:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; +-- +2.39.0 + + +From 2ea49737a5cac8ead895da30d40f18019103b285 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 12:26:01 +0100 +Subject: [PATCH 114/142] CVE-2022-38023 selftest:Samba4: avoid global 'server + schannel = auto' + +Instead of using the generic deprecated option use the specific +server require schannel:COMPUTERACCOUNT = no in order to allow +legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c) +--- + selftest/target/Samba4.pm | 37 ++++++++++++++++++++++++++++++++++--- + 1 file changed, 34 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 0f644661176..8dad74cae43 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1708,7 +1708,24 @@ sub provision_ad_dc_ntvfs($$) + dsdb event notification = true + dsdb password event notification = true + dsdb group change notification = true +- server schannel = auto ++ ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ ++ # needed for 'samba.tests.auth_log' tests ++ server require schannel:LOCALDC\$ = no + "; + my $extra_provision_options = ["--use-ntvfs"]; + my $ret = $self->provision($prefix, +@@ -2085,8 +2102,22 @@ sub provision_ad_dc($$$$$$) + lpq cache time = 0 + print notify backchannel = yes + +- server schannel = auto +- auth event notification = true ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ ++ auth event notification = true + dsdb event notification = true + dsdb password event notification = true + dsdb group change notification = true +-- +2.39.0 + + +From a9ad04a6a886c4f17120fcf585bba7b979752d3c Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Mon, 28 Nov 2022 15:02:13 +0100 +Subject: [PATCH 115/142] CVE-2022-38023 s4:torture: use + NETLOGON_NEG_SUPPORTS_AES by default + +For generic tests we should use the best available features. + +And AES will be required by default soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66) +--- + source4/torture/ntp/ntp_signd.c | 2 +- + source4/torture/rpc/lsa.c | 4 ++-- + source4/torture/rpc/netlogon.c | 18 +++++++++--------- + source4/torture/rpc/samba3rpc.c | 15 ++++++++++++--- + 4 files changed, 24 insertions(+), 15 deletions(-) + +diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c +index d2a41819fcf..66f2b8956a2 100644 +--- a/source4/torture/ntp/ntp_signd.c ++++ b/source4/torture/ntp/ntp_signd.c +@@ -68,7 +68,7 @@ static bool test_ntp_signd(struct torture_context *tctx, + uint32_t rid; + const char *machine_name; + const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx); +- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + + struct sign_request sign_req; + struct signed_reply signed_reply; +diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c +index 7bdc0cf679a..52e220ce225 100644 +--- a/source4/torture/rpc/lsa.c ++++ b/source4/torture/rpc/lsa.c +@@ -4260,7 +4260,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, + torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); + + ok = check_pw_with_ServerAuthenticate3(p1, tctx, +- NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + server_name, + incoming_creds, &creds); + torture_assert_int_equal(tctx, ok, expected_result, +@@ -4357,7 +4357,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, + torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); + + ok = check_pw_with_ServerAuthenticate3(p2, tctx, +- NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + server_name, + incoming_creds, &creds); + torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password"); +diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c +index 97c16688bc9..1fceeae88cc 100644 +--- a/source4/torture/rpc/netlogon.c ++++ b/source4/torture/rpc/netlogon.c +@@ -189,7 +189,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, + + /* This allows the tests to continue against the more fussy windows 2008 */ + if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { +- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + credentials, + cli_credentials_get_secure_channel_type(credentials), + creds_out); +@@ -423,7 +423,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, + "ServerAuthenticate3 failed"); + torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed"); + +- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + creds = netlogon_creds_client_init(tctx, a.in.account_name, + a.in.computer_name, + a.in.secure_channel_type, +@@ -490,7 +490,7 @@ static bool test_ServerReqChallenge( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -562,7 +562,7 @@ static bool test_ServerReqChallenge_zero_challenge( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -639,7 +639,7 @@ static bool test_ServerReqChallenge_5_repeats( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -723,7 +723,7 @@ static bool test_ServerReqChallenge_4_repeats( + const char *machine_name; + struct dcerpc_binding_handle *b = p->binding_handle; + struct netr_ServerAuthenticate2 a; +- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + uint32_t out_negotiate_flags = 0; + const struct samr_Password *mach_password = NULL; + enum netr_SchannelType sec_chan_type = 0; +@@ -3459,7 +3459,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, + struct dcerpc_pipe *p = NULL; + struct dcerpc_binding_handle *b = NULL; + +- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +@@ -4398,7 +4398,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, + + torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); + +- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +@@ -4973,7 +4973,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, + + torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); + +- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, ++ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, + machine_credentials, &creds)) { + return false; + } +diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c +index 9cd479c9baf..6fc4ed326d2 100644 +--- a/source4/torture/rpc/samba3rpc.c ++++ b/source4/torture/rpc/samba3rpc.c +@@ -1074,7 +1074,7 @@ static bool auth2(struct torture_context *tctx, + goto done; + } + +- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; ++ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; + E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); + + a.in.server_name = talloc_asprintf( +@@ -1264,10 +1264,19 @@ static bool schan(struct torture_context *tctx, + E_md4hash(cli_credentials_get_password(user_creds), + pinfo.ntpassword.hash); + +- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); +- + logon.password = &pinfo; + ++ /* ++ * We don't use this here: ++ * ++ * netlogon_creds_encrypt_samlogon_logon(creds_state, ++ * NetlogonInteractiveInformation, ++ * &logon); ++ * ++ * in order to detect bugs ++ */ ++ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16); ++ + r.in.logon_level = NetlogonInteractiveInformation; + r.in.logon = &logon; + r.out.return_authenticator = &return_authenticator; +-- +2.39.0 + + +From 6088b76def86b8f56511707c69b6cdd016722715 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 09:54:17 +0100 +Subject: [PATCH 116/142] CVE-2022-38023 s4:rpc_server/netlogon: split out + dcesrv_netr_ServerAuthenticate3_check_downgrade() + +We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', +which means we'll need the downgrade detection in more places. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++-------- + 1 file changed, 67 insertions(+), 47 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 8084061aabc..6a00fe4efcf 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -128,6 +128,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal + return NT_STATUS_OK; + } + ++static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ struct dcesrv_call_state *dce_call, ++ struct netr_ServerAuthenticate3 *r, ++ struct netlogon_server_pipe_state *pipe_state, ++ uint32_t negotiate_flags, ++ NTSTATUS orig_status) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; ++ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool reject_des_client = !allow_nt4_crypto; ++ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ ++ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { ++ reject_des_client = false; ++ } ++ ++ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { ++ reject_des_client = false; ++ reject_md5_client = false; ++ } ++ ++ if (reject_des_client || reject_md5_client) { ++ /* ++ * Here we match Windows 2012 and return no flags. ++ */ ++ *r->out.negotiate_flags = 0; ++ return NT_STATUS_DOWNGRADE_DETECTED; ++ } ++ ++ /* ++ * This talloc_free is important to prevent re-use of the ++ * challenge. We have to delay it this far due to NETApp ++ * servers per: ++ * https://bugzilla.samba.org/show_bug.cgi?id=11291 ++ */ ++ TALLOC_FREE(pipe_state); ++ ++ /* ++ * At this point we must also cleanup the TDB cache ++ * entry, if we fail the client needs to call ++ * netr_ServerReqChallenge again. ++ * ++ * Note: this handles a non existing record just fine, ++ * the r->in.computer_name might not be the one used ++ * in netr_ServerReqChallenge(), but we are trying to ++ * just tidy up the normal case to prevent re-use. ++ */ ++ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, ++ r->in.computer_name); ++ ++ /* ++ * According to Microsoft (see bugid #6099) ++ * Windows 7 looks at the negotiate_flags ++ * returned in this structure *even if the ++ * call fails with access denied! ++ */ ++ *r->out.negotiate_flags = negotiate_flags; ++ ++ return orig_status; ++} ++ + /* + * Do the actual processing of a netr_ServerAuthenticate3 message. + * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. +@@ -155,11 +216,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + "objectSid", "samAccountName", NULL}; + uint32_t server_flags = 0; + uint32_t negotiate_flags = 0; +- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); +- bool reject_des_client = !allow_nt4_crypto; +- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); + + ZERO_STRUCTP(r->out.return_credentials); ++ *r->out.negotiate_flags = 0; + *r->out.rid = 0; + + pipe_state = dcesrv_iface_state_find_conn(dce_call, +@@ -238,52 +297,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + + negotiate_flags = *r->in.negotiate_flags & server_flags; + +- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { +- reject_des_client = false; +- } +- +- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { +- reject_des_client = false; +- reject_md5_client = false; +- } +- +- if (reject_des_client || reject_md5_client) { +- /* +- * Here we match Windows 2012 and return no flags. +- */ +- *r->out.negotiate_flags = 0; +- return NT_STATUS_DOWNGRADE_DETECTED; ++ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_OK); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; + } + +- /* +- * This talloc_free is important to prevent re-use of the +- * challenge. We have to delay it this far due to NETApp +- * servers per: +- * https://bugzilla.samba.org/show_bug.cgi?id=11291 +- */ +- TALLOC_FREE(pipe_state); +- +- /* +- * At this point we must also cleanup the TDB cache +- * entry, if we fail the client needs to call +- * netr_ServerReqChallenge again. +- * +- * Note: this handles a non existing record just fine, +- * the r->in.computer_name might not be the one used +- * in netr_ServerReqChallenge(), but we are trying to +- * just tidy up the normal case to prevent re-use. +- */ +- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, +- r->in.computer_name); +- +- /* +- * According to Microsoft (see bugid #6099) +- * Windows 7 looks at the negotiate_flags +- * returned in this structure *even if the +- * call fails with access denied! +- */ +- *r->out.negotiate_flags = negotiate_flags; +- + switch (r->in.secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_DNS_DOMAIN: +-- +2.39.0 + + +From 3e43111a1417414b545fcc46a72e701cf6e71c59 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Thu, 24 Nov 2022 18:26:18 +0100 +Subject: [PATCH 117/142] CVE-2022-38023 docs-xml/smbdotconf: change 'reject + md5 clients' default to yes + +AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, +so there's no reason to allow md5 clients by default. +However some third party domain members may need it. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) +--- + docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++--- + lib/param/loadparm.c | 1 + + selftest/target/Samba4.pm | 4 ++++ + source3/param/loadparm.c | 1 + + 4 files changed, 14 insertions(+), 3 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index 0bb9f6f6c8e..edcbe02e99a 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -7,11 +7,16 @@ + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. + +- You can set this to yes if all domain members support aes. +- This will prevent downgrade attacks. ++ Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows ++ starting with Server 2008R2 and Windows 7, it's available in Samba ++ starting with 4.0, however third party domain members like NetApp ONTAP ++ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. ++ ++ The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 + + This option overrides the 'allow nt4 crypto' option. + + +-no ++yes + +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index dc659a449ea..77a80176f7d 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); + + lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); + + lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 8dad74cae43..7e3d7c9de8e 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1709,6 +1709,8 @@ sub provision_ad_dc_ntvfs($$) + dsdb password event notification = true + dsdb group change notification = true + ++ reject md5 clients = no ++ + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no +@@ -2102,6 +2104,8 @@ sub provision_ad_dc($$$$$$) + lpq cache time = 0 + print notify backchannel = yes + ++ reject md5 clients = no ++ + CVE_2020_1472:warn_about_unused_debug_level = 3 + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index fbc987e119a..1cf468b1009 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.require_strong_key = true; + Globals.reject_md5_servers = true; + Globals.server_schannel = true; ++ Globals.reject_md5_clients = true; + Globals.read_raw = true; + Globals.write_raw = true; + Globals.null_passwords = false; +-- +2.39.0 + + +From 886878d18d22eb4a2f3b63663e0ffe284ed9788b Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 10:31:08 +0100 +Subject: [PATCH 118/142] CVE-2022-38023 s4:rpc_server/netlogon: defer + downgrade check until we found the account in our SAM + +We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', +which means we'll need use the account name from our SAM. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------ + 1 file changed, 53 insertions(+), 23 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 6a00fe4efcf..1c180343252 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -297,13 +297,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + + negotiate_flags = *r->in.negotiate_flags & server_flags; + +- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( +- dce_call, r, pipe_state, negotiate_flags, +- NT_STATUS_OK); +- if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; +- } +- + switch (r->in.secure_channel_type) { + case SEC_CHAN_WKSTA: + case SEC_CHAN_DNS_DOMAIN: +@@ -312,11 +305,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + case SEC_CHAN_RODC: + break; + case SEC_CHAN_NULL: +- return NT_STATUS_INVALID_PARAMETER; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_PARAMETER); + default: + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", + r->in.secure_channel_type)); +- return NT_STATUS_INVALID_PARAMETER; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_PARAMETER); + } + + sam_ctx = samdb_connect(mem_ctx, +@@ -326,7 +323,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + dce_call->conn->remote_address, + 0); + if (sam_ctx == NULL) { +- return NT_STATUS_INVALID_SYSTEM_SERVICE; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INVALID_SYSTEM_SERVICE); + } + + if (r->in.secure_channel_type == SEC_CHAN_DOMAIN || +@@ -355,16 +354,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + encoded_name = ldb_binary_encode_string(mem_ctx, + r->in.account_name); + if (encoded_name == NULL) { +- return NT_STATUS_NO_MEMORY; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_MEMORY); + } + + len = strlen(encoded_name); + if (len < 2) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (require_trailer && encoded_name[len - 1] != trailer) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + encoded_name[len - 1] = '\0'; + +@@ -382,30 +387,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + "but there's no tdo for [%s] => [%s] \n", + log_escape(mem_ctx, r->in.account_name), + encoded_name)); +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ nt_status); + } + + nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx, + &curNtHash, + &prevNtHash); + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { +- return nt_status; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ nt_status); + } + + flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL); + if (flatname == NULL) { +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname); + if (*trust_account_for_search == NULL) { +- return NT_STATUS_NO_MEMORY; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_MEMORY); + } + } else { + *trust_account_for_search = r->in.account_name; +@@ -420,14 +437,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (num_records == 0) { + DEBUG(3,("Couldn't find user [%s] in samdb.\n", + log_escape(mem_ctx, r->in.account_name))); +- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (num_records > 1) { + DEBUG(0,("Found %d records matching user [%s]\n", + num_records, + log_escape(mem_ctx, r->in.account_name))); +- return NT_STATUS_INTERNAL_DB_CORRUPTION; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INTERNAL_DB_CORRUPTION); + } + + *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0], +@@ -436,9 +457,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (*trust_account_in_db == NULL) { + DEBUG(0,("No samAccountName returned in record matching user [%s]\n", + r->in.account_name)); +- return NT_STATUS_INTERNAL_DB_CORRUPTION; ++ return dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_INTERNAL_DB_CORRUPTION); + } +- ++ ++ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( ++ dce_call, r, pipe_state, negotiate_flags, ++ NT_STATUS_OK); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ + user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); + + if (user_account_control & UF_ACCOUNTDISABLE) { +-- +2.39.0 + + +From ed628f5bf355801023c1bb2ac4aabd06c5c878a6 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:13:36 +0100 +Subject: [PATCH 119/142] CVE-2022-38023 s4:rpc_server/netlogon: add 'server + reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 + crypto:COMPUTERACCOUNT = yes' + +This makes it more flexible when we change the global default to +'reject md5 servers = yes'. + +'allow nt4 crypto = no' is already the default. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++- + 1 file changed, 55 insertions(+), 3 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 1c180343252..b605daea794 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -133,12 +133,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + struct netr_ServerAuthenticate3 *r, + struct netlogon_server_pipe_state *pipe_state, + uint32_t negotiate_flags, ++ const char *trust_account_in_db, + NTSTATUS orig_status) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); +- bool reject_des_client = !allow_nt4_crypto; +- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool account_allow_nt4_crypto = global_allow_nt4_crypto; ++ const char *explicit_nt4_opt = NULL; ++ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); ++ bool account_reject_md5_client = global_reject_md5_client; ++ const char *explicit_md5_opt = NULL; ++ bool reject_des_client; ++ bool allow_nt4_crypto; ++ bool reject_md5_client; ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ ++ if (trust_account_in_db != NULL) { ++ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "allow nt4 crypto", ++ trust_account_in_db); ++ } ++ if (explicit_nt4_opt != NULL) { ++ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt); ++ } ++ allow_nt4_crypto = account_allow_nt4_crypto; ++ if (trust_account_in_db != NULL) { ++ explicit_md5_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server reject md5 schannel", ++ trust_account_in_db); ++ } ++ if (explicit_md5_opt != NULL) { ++ account_reject_md5_client = lp_bool(explicit_md5_opt); ++ } ++ reject_md5_client = account_reject_md5_client; ++ ++ reject_des_client = !allow_nt4_crypto; + + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { + reject_des_client = false; +@@ -307,12 +343,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + case SEC_CHAN_NULL: + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_PARAMETER); + default: + DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", + r->in.secure_channel_type)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_PARAMETER); + } + +@@ -325,6 +363,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (sam_ctx == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INVALID_SYSTEM_SERVICE); + } + +@@ -356,6 +395,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (encoded_name == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_MEMORY); + } + +@@ -363,12 +403,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (len < 2) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + + if (require_trailer && encoded_name[len - 1] != trailer) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + encoded_name[len - 1] = '\0'; +@@ -389,11 +431,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + encoded_name)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + nt_status); + } + +@@ -403,11 +447,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + if (!NT_STATUS_IS_OK(nt_status)) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + nt_status); + } + +@@ -415,6 +461,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (flatname == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + +@@ -422,6 +469,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + if (*trust_account_for_search == NULL) { + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_MEMORY); + } + } else { +@@ -439,6 +487,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + log_escape(mem_ctx, r->in.account_name))); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_NO_TRUST_SAM_ACCOUNT); + } + +@@ -448,6 +497,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + log_escape(mem_ctx, r->in.account_name))); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INTERNAL_DB_CORRUPTION); + } + +@@ -459,11 +509,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( + r->in.account_name)); + return dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ NULL, /* trust_account_in_db */ + NT_STATUS_INTERNAL_DB_CORRUPTION); + } + + nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( + dce_call, r, pipe_state, negotiate_flags, ++ *trust_account_in_db, + NT_STATUS_OK); + if (!NT_STATUS_IS_OK(nt_status)) { + return nt_status; +-- +2.39.0 + + +From b15c69701d065504588671187a5cec9eea9dcf57 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:31:14 +0100 +Subject: [PATCH 120/142] CVE-2022-38023 docs-xml/smbdotconf: document "allow + nt4 crypto:COMPUTERACCOUNT = no" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++- + 1 file changed, 74 insertions(+), 2 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index 06afcef73b1..bbd03a42db7 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -1,11 +1,18 @@ + + ++ ++ This option is deprecated and will be removed in future, ++ as it is a security problem if not set to "no" (which will be ++ the hardcoded behavior in future). ++ ++ + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will +- reject clients which does not support NETLOGON_NEG_STRONG_KEYS ++ reject clients which do not support NETLOGON_NEG_STRONG_KEYS + nor NETLOGON_NEG_SUPPORTS_AES. + + This option was added with Samba 4.2.0. It may lock out clients +@@ -18,8 +25,73 @@ + + "allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks. + +- This option is over-ridden by the 'reject md5 clients' option. ++ Avoid using this option! Use explicit 'yes' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240 ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'yes' option ++ for the client. The message will indicate ++ the explicit 'yes' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ This allows admins to use "yes" only for a short grace period, ++ in order to collect the explicit ++ 'yes' options. ++ ++ This option is over-ridden by the 'yes' option. + + + no + ++ ++ ++ ++ ++ If you still have legacy domain members which required 'allow nt4 crypto = yes', ++ it is possible to specify an explicit exception per computer account ++ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "yes", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will log a warning in the log files at log level 5, ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ This option overrides the option. ++ ++ This option is over-ridden by the 'yes' option. ++ ++ ++ allow nt4 crypto:LEGACYCOMPUTER1$ = yes ++ allow nt4 crypto:NASBOX$ = yes ++ allow nt4 crypto:LEGACYCOMPUTER2$ = yes ++ ++ ++ ++ +-- +2.39.0 + + +From bbc9f54fdc1ebbfc0c27b61aff43a63a16aed9d9 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 14:02:11 +0100 +Subject: [PATCH 121/142] CVE-2022-38023 docs-xml/smbdotconf: document "server + reject md5 schannel:COMPUTERACCOUNT" + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) +--- + docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++- + .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++- + 2 files changed, 103 insertions(+), 6 deletions(-) + +diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml +index bbd03a42db7..ee63e6cc245 100644 +--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml ++++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml +@@ -45,7 +45,9 @@ + in order to collect the explicit + 'yes' options. + +- This option is over-ridden by the 'yes' option. ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. + + + no +@@ -85,12 +87,19 @@ + + This option overrides the option. + +- This option is over-ridden by the 'yes' option. ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ Which means 'yes' ++ is only useful in combination with 'no' + + + allow nt4 crypto:LEGACYCOMPUTER1$ = yes ++ server reject md5 schannel:LEGACYCOMPUTER1$ = no + allow nt4 crypto:NASBOX$ = yes ++ server reject md5 schannel:NASBOX$ = no + allow nt4 crypto:LEGACYCOMPUTER2$ = yes ++ server reject md5 schannel:LEGACYCOMPUTER2$ = no + + + +diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +index edcbe02e99a..fe7701d9277 100644 +--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml ++++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml +@@ -1,8 +1,15 @@ + + ++ ++ This option is deprecated and will be removed in a future release, ++ as it is a security problem if not set to "yes" (which will be ++ the hardcoded behavior in the future). ++ ++ + This option controls whether the netlogon server (currently + only in 'active directory domain controller' mode), will + reject clients which does not support NETLOGON_NEG_SUPPORTS_AES. +@@ -10,13 +17,94 @@ + Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows + starting with Server 2008R2 and Windows 7, it's available in Samba + starting with 4.0, however third party domain members like NetApp ONTAP +- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details. ++ still uses RC4 (HMAC-MD5), see ++ https://www.samba.org/samba/security/CVE-2022-38023.html ++ for more details. ++ ++ ++ The default changed from 'no' to 'yes', with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ Avoid using this option! Use an explicit per machine account ++ '' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ + +- The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, +- see https://bugzilla.samba.org/show_bug.cgi?id=15240 ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ + +- This option overrides the 'allow nt4 crypto' option. ++ This allows admins to use "no" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'no'. ++ + + + yes + ++ ++ ++ ++ ++ If you still have legacy domain members or trusted domains, ++ which required "reject md5 clients = no" before, ++ it is possible to specify an explicit exception per computer account ++ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "no", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will log a warning in the log files at log level 5 ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ This option overrides the option. ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'no'. ++ ++ ++ ++ server reject md5 schannel:LEGACYCOMPUTER1$ = no ++ server reject md5 schannel:NASBOX$ = no ++ server reject md5 schannel:LEGACYCOMPUTER2$ = no ++ ++ ++ ++ +-- +2.39.0 + + +From 88311bae73bfdd2863ee94f421ef89266bff97f0 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 13:13:36 +0100 +Subject: [PATCH 122/142] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject + md5 servers' and 'allow nt4 crypto' misconfigurations + +This allows the admin to notice what's wrong in order to adjust the +configuration if required. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 121 ++++++++++++++++++ + 1 file changed, 121 insertions(+) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index b605daea794..b93ff08abcd 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -61,10 +61,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + const struct dcesrv_interface *iface) + { + struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; ++ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); ++ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); ++ static bool warned_global_nt4_once = false; ++ static bool warned_global_md5_once = false; + static bool warned_global_schannel_once = false; + ++ if (global_allow_nt4_crypto && !warned_global_nt4_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'allow nt4 crypto = no' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_nt4_once = true; ++ } ++ ++ if (!global_reject_md5_client && !warned_global_md5_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023: " ++ "Please configure 'reject md5 clients = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_md5_once = true; ++ } ++ + if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! +@@ -146,6 +170,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + bool reject_des_client; + bool allow_nt4_crypto; + bool reject_md5_client; ++ bool need_des = true; ++ bool need_md5 = true; ++ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + + /* + * We don't use lpcfg_parm_bool(), as we +@@ -177,19 +207,62 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + reject_des_client = !allow_nt4_crypto; + + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { ++ need_des = false; + reject_des_client = false; + } + + if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { ++ need_des = false; ++ need_md5 = false; + reject_des_client = false; + reject_md5_client = false; + } + + if (reject_des_client || reject_md5_client) { ++ TALLOC_CTX *frame = talloc_stackframe(); ++ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "client_account[%s] computer_name[%s] " ++ "schannel_type[%u] " ++ "client_negotiate_flags[0x%x] " ++ "%s%s%s " ++ "NT_STATUS_DOWNGRADE_DETECTED " ++ "reject_des[%u] reject_md5[%u]\n", ++ log_escape(frame, r->in.account_name), ++ log_escape(frame, r->in.computer_name), ++ r->in.secure_channel_type, ++ (unsigned)*r->in.negotiate_flags, ++ trust_account_in_db ? "real_account[" : "", ++ trust_account_in_db ? trust_account_in_db : "", ++ trust_account_in_db ? "]" : "", ++ reject_des_client, ++ reject_md5_client)); ++ if (trust_account_in_db == NULL) { ++ goto return_downgrade; ++ } ++ ++ if (reject_md5_client && explicit_md5_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } ++ if (reject_des_client && explicit_nt4_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } ++ ++return_downgrade: + /* + * Here we match Windows 2012 and return no flags. + */ + *r->out.negotiate_flags = 0; ++ TALLOC_FREE(frame); + return NT_STATUS_DOWNGRADE_DETECTED; + } + +@@ -222,6 +295,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( + */ + *r->out.negotiate_flags = negotiate_flags; + ++ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) { ++ return orig_status; ++ } ++ ++ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = yes' not needed!?\n", ++ trust_account_in_db); ++ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "still needed for a legacy client.\n", ++ trust_account_in_db); ++ } else if (need_md5 && explicit_md5_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } else if (!account_reject_md5_client && explicit_md5_opt) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server reject md5 schannel:%s = no' not needed!?\n", ++ trust_account_in_db)); ++ } ++ ++ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = no' not needed!?\n", ++ trust_account_in_db); ++ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) { ++ D_INFO("CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "still needed for a legacy client.\n", ++ trust_account_in_db); ++ } else if (need_des && explicit_nt4_opt == NULL) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' " ++ "might be needed for a legacy client.\n", ++ trust_account_in_db)); ++ } else if (account_allow_nt4_crypto && explicit_nt4_opt) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: Check if option " ++ "'allow nt4 crypto:%s = yes' not needed!?\n", ++ trust_account_in_db)); ++ } ++ + return orig_status; + } + +-- +2.39.0 + + +From 73230d08dd1ec2390e52b24f0398d328a55e5866 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 14:57:20 +0100 +Subject: [PATCH 123/142] CVE-2022-38023 selftest:Samba4: avoid global 'allow + nt4 crypto = yes' and 'reject md5 clients = no' + +Instead of using the generic deprecated option use the specific +allow nt4 crypto:COMPUTERACCOUNT = yes and +server reject md5 schannel:COMPUTERACCOUNT = no +in order to allow legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(backported from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) +--- + selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++----- + 1 file changed, 53 insertions(+), 7 deletions(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index 7e3d7c9de8e..aafb9ee14ca 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1700,7 +1700,6 @@ sub provision_ad_dc_ntvfs($$) + my $extra_conf_options = "netbios aliases = localDC1-a + server services = +winbind -winbindd + ldap server require strong auth = allow_sasl_over_tls +- allow nt4 crypto = yes + raw NTLMv2 auth = yes + lsa over netlogon = yes + rpc server port = 1027 +@@ -1709,9 +1708,19 @@ sub provision_ad_dc_ntvfs($$) + dsdb password event notification = true + dsdb group change notification = true + +- reject md5 clients = no +- + CVE_2020_1472:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ allow nt4 crypto:torturetest\$ = yes ++ server reject md5 schannel:schannel2\$ = no ++ server reject md5 schannel:schannel3\$ = no ++ server reject md5 schannel:schannel8\$ = no ++ server reject md5 schannel:schannel9\$ = no ++ server reject md5 schannel:torturetest\$ = no ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no +@@ -1770,6 +1779,13 @@ sub provision_fl2000dc($$) + my $extra_conf_options = " + spnego:simulate_w2k=yes + ntlmssp_server:force_old_spnego=yes ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no + "; + my $extra_provision_options = ["--use-ntvfs"]; + # This environment uses plain text secrets +@@ -1818,7 +1834,16 @@ sub provision_fl2003dc($$$) + my $extra_conf_options = "allow dns updates = nonsecure and secure + dcesrv:header signing = no + dcesrv:max auth states = 0 +- dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2"; ++ dns forwarder = 127.0.0.$swiface1 127.0.0.$swiface2 ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no ++"; ++ + my $extra_provision_options = ["--use-ntvfs"]; + my $ret = $self->provision($prefix, + "domain controller", +@@ -1874,8 +1899,18 @@ sub provision_fl2008r2dc($$$) + my ($self, $prefix, $dcvars) = @_; + + print "PROVISIONING DC WITH FOREST LEVEL 2008r2...\n"; +- my $extra_conf_options = "ldap server require strong auth = no"; ++ my $extra_conf_options = " ++ ldap server require strong auth = no ++ ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no ++"; + my $extra_provision_options = ["--use-ntvfs"]; ++ + my $ret = $self->provision($prefix, + "domain controller", + "dc7", +@@ -2104,9 +2139,20 @@ sub provision_ad_dc($$$$$$) + lpq cache time = 0 + print notify backchannel = yes + +- reject md5 clients = no +- + CVE_2020_1472:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:warn_about_unused_debug_level = 3 ++ CVE_2022_38023:error_debug_level = 2 ++ server reject md5 schannel:schannel2\$ = no ++ server reject md5 schannel:schannel3\$ = no ++ server reject md5 schannel:schannel8\$ = no ++ server reject md5 schannel:schannel9\$ = no ++ server reject md5 schannel:torturetest\$ = no ++ server reject md5 schannel:tests4u2proxywk\$ = no ++ server reject md5 schannel:tests4u2selfbdc\$ = no ++ server reject md5 schannel:tests4u2selfwk\$ = no ++ server reject md5 schannel:torturepacbdc\$ = no ++ server reject md5 schannel:torturepacwksta\$ = no ++ server reject md5 schannel:samlogontest\$ = no + server require schannel:schannel0\$ = no + server require schannel:schannel1\$ = no + server require schannel:schannel2\$ = no +-- +2.39.0 + + +From 2efdacb36c42985595284db6db90953feecc6e1a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 16:57:24 +0100 +Subject: [PATCH 124/142] CVE-2022-38023 s4:rpc_server/netlogon: split out + dcesrv_netr_check_schannel() function + +This will allow us to reuse the function in other places. +As it will also get some additional checks soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++-------- + 1 file changed, 51 insertions(+), 33 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index b93ff08abcd..94adb74165f 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -845,18 +845,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + } + +-/* +- * NOTE: The following functions are nearly identical to the ones available in +- * source3/rpc_server/srv_nelog_nt.c +- * The reason we keep 2 copies is that they use different structures to +- * represent the auth_info and the decrpc pipes. +- */ +-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) ++static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + TALLOC_CTX *frame = talloc_stackframe(); +@@ -865,15 +858,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +- struct netlogon_creds_CredentialState *creds = NULL; + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- uint16_t opnum = dce_call->pkt.u.request.opnum; + const char *opname = ""; + const char *reason = ""; + +@@ -881,8 +870,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + opname = ndr_table_netlogon.calls[opnum].name; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +@@ -895,17 +882,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + reason = "WITHOUT"; + } + +- nt_status = schannel_check_creds_state(mem_ctx, +- lp_ctx, +- computer_name, +- received_authenticator, +- return_authenticator, +- &creds); +- if (!NT_STATUS_IS_OK(nt_status)) { +- ZERO_STRUCTP(return_authenticator); +- return nt_status; +- } +- + /* + * We don't use lpcfg_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -945,7 +921,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return nt_status; + } +@@ -979,8 +954,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); + return nt_status; + } +@@ -1024,11 +997,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + ++/* ++ * NOTE: The following functions are nearly identical to the ones available in ++ * source3/rpc_server/srv_nelog_nt.c ++ * The reason we keep 2 copies is that they use different structures to ++ * represent the auth_info and the decrpc pipes. ++ */ ++static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ NTSTATUS nt_status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ nt_status = schannel_check_creds_state(mem_ctx, ++ dce_call->conn->dce_ctx->lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ nt_status = dcesrv_netr_check_schannel(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ dce_call->pkt.u.request.opnum); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return nt_status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} ++ + /* + Change the machine account password for the currently connected + client. Supplies only the NT#. +-- +2.39.0 + + +From b95d07ebad63544c585a43590bdeaf5247cbaf46 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 17:15:36 +0100 +Subject: [PATCH 125/142] CVE-2022-38023 s4:rpc_server/netlogon: make sure all + dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() + +We'll soon add some additional contraints in dcesrv_netr_check_schannel(), +which are also required for dcesrv_netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++---- + 1 file changed, 29 insertions(+), 7 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 94adb74165f..f4413d7a03b 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -1408,6 +1408,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL + struct auth_usersupplied_info *user_info = NULL; + NTSTATUS nt_status; + struct tevent_req *subreq = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ ++ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); ++ ++ switch (dce_call->pkt.u.request.opnum) { ++ case NDR_NETR_LOGONSAMLOGON: ++ case NDR_NETR_LOGONSAMLOGONWITHFLAGS: ++ /* ++ * These already called dcesrv_netr_check_schannel() ++ * via dcesrv_netr_creds_server_step_check() ++ */ ++ break; ++ case NDR_NETR_LOGONSAMLOGONEX: ++ default: ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ nt_status = dcesrv_netr_check_schannel(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ dce_call->pkt.u.request.opnum); ++ if (!NT_STATUS_IS_OK(nt_status)) { ++ return nt_status; ++ } ++ break; ++ } + + *r->out.authoritative = 1; + +@@ -1739,7 +1768,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply( + static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, + struct netr_LogonSamLogonEx *r) + { +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + struct dcesrv_netr_LogonSamLogon_base_state *state; + NTSTATUS nt_status; + +@@ -1777,12 +1805,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, + return nt_status; + } + +- dcesrv_call_auth_info(dce_call, &auth_type, NULL); +- +- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- return NT_STATUS_ACCESS_DENIED; +- } +- + nt_status = dcesrv_netr_LogonSamLogon_base_call(state); + + if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) { +-- +2.39.0 + + +From 5e5019dbdf9b49e07bd5f88bafa7275d5d076166 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 16:53:35 +0100 +Subject: [PATCH 126/142] CVE-2022-38023 docs-xml/smbdotconf: add "server + schannel require seal[:COMPUTERACCOUNT]" options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) +--- + .../smbdotconf/security/serverschannel.xml | 43 ++++++- + .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++ + lib/param/loadparm.c | 1 + + source3/param/loadparm.c | 1 + + 4 files changed, 157 insertions(+), 6 deletions(-) + create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml + +diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml +index 3e66df1c203..42a657912ca 100644 +--- a/docs-xml/smbdotconf/security/serverschannel.xml ++++ b/docs-xml/smbdotconf/security/serverschannel.xml +@@ -12,19 +12,37 @@ + the hardcoded behavior in future). + + +- +- Samba will complain in the log files at log level 0, +- about the security problem if the option is not set to "yes". ++ Avoid using this option! Use explicit 'no' instead! + ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ + +- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 ++ This allows admins to use "auto" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. + + +- If you still have legacy domain members use the option. ++ ++ See CVE-2020-1472(ZeroLogon), ++ https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option is over-ridden by the option. + ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ + + + yes +@@ -48,6 +66,9 @@ + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). + + + +@@ -56,15 +77,25 @@ + + + +- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 ++ See CVE-2020-1472(ZeroLogon), ++ https://bugzilla.samba.org/show_bug.cgi?id=14497. + + + This option overrides the option. + ++ This option is over-ridden by the effective value of 'yes' from ++ the '' ++ and/or '' options. ++ Which means 'no' ++ is only useful in combination with 'no' ++ + + server require schannel:LEGACYCOMPUTER1$ = no ++ server require schannel seal:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no ++ server require schannel seal:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no ++ server require schannel seal:LEGACYCOMPUTER2$ = no + + + +diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +new file mode 100644 +index 00000000000..d4620d1252d +--- /dev/null ++++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml +@@ -0,0 +1,118 @@ ++ ++ ++ ++ ++ This option is deprecated and will be removed in future, ++ as it is a security problem if not set to "yes" (which will be ++ the hardcoded behavior in future). ++ ++ ++ ++ This option controls whether the netlogon server (currently ++ only in 'active directory domain controller' mode), will ++ reject the usage of netlogon secure channel without privacy/enryption. ++ ++ ++ ++ The option is modelled after the registry key available on Windows. ++ ++ ++ ++ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 ++ ++ ++ ++ Avoid using this option! Use the per computer account specific option ++ '' instead! ++ Which is available with the patches for ++ CVE-2022-38023 ++ see https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ ++ Samba will log an error in the log files at log level 0 ++ if legacy a client is rejected or allowed without an explicit, ++ 'no' option ++ for the client. The message will indicate ++ the explicit 'no' ++ line to be added, if the legacy client software requires it. (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ This allows admins to use "no" only for a short grace period, ++ in order to collect the explicit ++ 'no' options. ++ ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'yes'. ++ ++ ++ ++ This option is over-ridden by the option. ++ ++ ++ ++ ++yes ++ ++ ++ ++ ++ ++ ++ If you still have legacy domain members, which required "server schannel require seal = no" before, ++ it is possible to specify explicit exception per computer account ++ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. ++ Note that COMPUTERACCOUNT has to be the sAMAccountName value of ++ the computer account (including the trailing '$' sign). ++ ++ ++ ++ Samba will log a complaint in the log files at log level 0 ++ about the security problem if the option is set to "no", ++ but the related computer does not require it. ++ (The log level can be adjusted with ++ '1' ++ in order to complain only at a higher log level). ++ ++ ++ ++ Samba will warn in the log files at log level 5, ++ if a setting is still needed for the specified computer account. ++ ++ ++ ++ See CVE-2022-38023, ++ https://bugzilla.samba.org/show_bug.cgi?id=15240. ++ ++ ++ ++ This option overrides the '' option. ++ ++ ++ ++ When set to 'yes' this option overrides the ++ '' and ++ '' options and implies ++ 'yes'. ++ ++ ++ ++ server require schannel seal:LEGACYCOMPUTER1$ = no ++ server require schannel seal:NASBOX$ = no ++ server require schannel seal:LEGACYCOMPUTER2$ = no ++ ++ ++ ++ +diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c +index 77a80176f7d..4b3976ebdb6 100644 +--- a/lib/param/loadparm.c ++++ b/lib/param/loadparm.c +@@ -2790,6 +2790,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) + lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); + + lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); ++ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); + lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); + + lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); +diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c +index 1cf468b1009..8dab202fc17 100644 +--- a/source3/param/loadparm.c ++++ b/source3/param/loadparm.c +@@ -659,6 +659,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) + Globals.require_strong_key = true; + Globals.reject_md5_servers = true; + Globals.server_schannel = true; ++ Globals.server_schannel_require_seal = true; + Globals.reject_md5_clients = true; + Globals.read_raw = true; + Globals.write_raw = true; +-- +2.39.0 + + +From 83be39efadc4c4fad4a873e23016e1c5a8d65380 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 2 Dec 2022 14:31:26 +0100 +Subject: [PATCH 127/142] CVE-2022-38023 s4:rpc_server/netlogon: add a per + connection cache to dcesrv_netr_check_schannel() + +It's enough to warn the admin once per connection. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a) +--- + source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++---- + 1 file changed, 153 insertions(+), 40 deletions(-) + +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index f4413d7a03b..474d0806e6b 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -845,23 +845,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca + return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); + } + +-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, +- const struct netlogon_creds_CredentialState *creds, +- enum dcerpc_AuthType auth_type, +- enum dcerpc_AuthLevel auth_level, +- uint16_t opnum) ++struct dcesrv_netr_check_schannel_state { ++ struct dom_sid account_sid; ++ enum dcerpc_AuthType auth_type; ++ enum dcerpc_AuthLevel auth_level; ++ ++ bool schannel_global_required; ++ bool schannel_required; ++ bool schannel_explicitly_set; ++ ++ NTSTATUS result; ++}; ++ ++static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ struct dcesrv_netr_check_schannel_state **_s) + { + struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; +- TALLOC_CTX *frame = talloc_stackframe(); +- NTSTATUS nt_status; + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; ++#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ *_s = NULL; ++ ++ s = dcesrv_iface_state_find_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ struct dcesrv_netr_check_schannel_state); ++ if (s != NULL) { ++ if (!dom_sid_equal(&s->account_sid, creds->sid)) { ++ goto new_state; ++ } ++ if (s->auth_type != auth_type) { ++ goto new_state; ++ } ++ if (s->auth_level != auth_level) { ++ goto new_state; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++ } ++ ++new_state: ++ TALLOC_FREE(s); ++ s = talloc_zero(dce_call, ++ struct dcesrv_netr_check_schannel_state); ++ if (s == NULL) { ++ return NT_STATUS_NO_MEMORY; ++ } ++ ++ s->account_sid = *creds->sid; ++ s->auth_type = auth_type; ++ s->auth_level = auth_level; ++ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; ++ ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server require schannel", ++ creds->account_name); ++ if (explicit_opt != NULL) { ++ schannel_required = lp_bool(explicit_opt); ++ } ++ ++ s->schannel_global_required = schannel_global_required; ++ s->schannel_required = schannel_required; ++ s->schannel_explicitly_set = explicit_opt != NULL; ++ ++ status = dcesrv_iface_state_store_conn(dce_call, ++ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, ++ s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ *_s = s; ++ return NT_STATUS_OK; ++} ++ ++static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, ++ struct dcesrv_netr_check_schannel_state *s, ++ const struct netlogon_creds_CredentialState *creds, ++ uint16_t opnum) ++{ ++ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; + int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ TALLOC_CTX *frame = talloc_stackframe(); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; +@@ -870,37 +952,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname = ndr_table_netlogon.calls[opnum].name; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + reason = "WITH SIGNED"; + } else { +- smb_panic("Schannel without SIGN/SEAL"); ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ s->result = NT_STATUS_INTERNAL_ERROR; + } + } else { + reason = "WITHOUT"; + } + +- /* +- * We don't use lpcfg_parm_bool(), as we +- * need the explicit_opt pointer in order to +- * adjust the debug messages. +- */ +- explicit_opt = lpcfg_get_parametric(lp_ctx, +- NULL, +- "server require schannel", +- creds->account_name); +- if (explicit_opt != NULL) { +- schannel_required = lp_bool(explicit_opt); ++ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(s->result)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ TALLOC_FREE(frame); ++ return s->result; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- nt_status = NT_STATUS_OK; ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ s->result = NT_STATUS_OK; + +- if (explicit_opt != NULL && !schannel_required) { ++ if (s->schannel_explicitly_set && !s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); +- } else if (!schannel_required) { ++ } else if (!s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } + +@@ -911,9 +999,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); +- +- if (explicit_opt != NULL && !schannel_required) { ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set && !s->schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed for '%s'!\n", +@@ -922,13 +1009,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + } + + TALLOC_FREE(frame); +- return nt_status; ++ return s->result; + } + +- if (schannel_required) { +- nt_status = NT_STATUS_ACCESS_DENIED; ++ if (s->schannel_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -941,8 +1028,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); +- if (explicit_opt != NULL) { ++ nt_errstr(s->result))); ++ if (s->schannel_explicitly_set) { + D_NOTICE("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = yes' " + "rejects access for client.\n", +@@ -955,12 +1042,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + log_escape(frame, creds->account_name))); + } + TALLOC_FREE(frame); +- return nt_status; ++ return s->result; + } + +- nt_status = NT_STATUS_OK; ++ s->result = NT_STATUS_OK; + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -973,9 +1060,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), +- nt_errstr(nt_status))); ++ nt_errstr(s->result))); + +- if (explicit_opt != NULL) { ++ if (s->schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " + "still needed for '%s'!\n", +@@ -998,6 +1085,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, + } + + TALLOC_FREE(frame); ++ return s->result; ++} ++ ++static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) ++{ ++ struct dcesrv_netr_check_schannel_state *s = NULL; ++ NTSTATUS status; ++ ++ status = dcesrv_netr_check_schannel_get_state(dce_call, ++ creds, ++ auth_type, ++ auth_level, ++ &s); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ ++ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ return status; ++ } ++ + return NT_STATUS_OK; + } + +-- +2.39.0 + + +From ef51add9def64d75f17b394924c238fffc81168f Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Fri, 25 Nov 2022 14:05:30 +0100 +Subject: [PATCH 128/142] CVE-2022-38023 s4:rpc_server/netlogon: implement + "server schannel require seal[:COMPUTERACCOUNT]" + +By default we'll now require schannel connections with +privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1) +--- + selftest/target/Samba4.pm | 27 ++ + source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++- + 2 files changed, 270 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm +index aafb9ee14ca..c267b81d865 100755 +--- a/selftest/target/Samba4.pm ++++ b/selftest/target/Samba4.pm +@@ -1734,9 +1734,23 @@ sub provision_ad_dc_ntvfs($$) + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no + + # needed for 'samba.tests.auth_log' tests + server require schannel:LOCALDC\$ = no ++ server schannel require seal:LOCALDC\$ = no + "; + my $extra_provision_options = ["--use-ntvfs"]; + my $ret = $self->provision($prefix, +@@ -2166,6 +2180,19 @@ sub provision_ad_dc($$$$$$) + server require schannel:schannel10\$ = no + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no + + auth event notification = true + dsdb event notification = true +diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c +index 474d0806e6b..343cd53473c 100644 +--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c ++++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c +@@ -65,9 +65,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + int schannel = lpcfg_server_schannel(lp_ctx); + bool schannel_global_required = (schannel == true); ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); + static bool warned_global_nt4_once = false; + static bool warned_global_md5_once = false; + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (global_allow_nt4_crypto && !warned_global_nt4_once) { + /* +@@ -99,6 +101,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context + warned_global_schannel_once = true; + } + ++ if (!global_require_seal && !warned_global_seal_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ D_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'server schannel require seal = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_once = true; ++ } ++ + return dcesrv_interface_bind_reject_connect(context, iface); + } + +@@ -854,6 +866,10 @@ struct dcesrv_netr_check_schannel_state { + bool schannel_required; + bool schannel_explicitly_set; + ++ bool seal_global_required; ++ bool seal_required; ++ bool seal_explicitly_set; ++ + NTSTATUS result; + }; + +@@ -868,6 +884,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d + bool schannel_global_required = (schannel == true); + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; ++ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); ++ bool require_seal = global_require_seal; ++ const char *explicit_seal_opt = NULL; + #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) + struct dcesrv_netr_check_schannel_state *s = NULL; + NTSTATUS status; +@@ -905,6 +924,19 @@ new_state: + s->auth_level = auth_level; + s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; + ++ /* ++ * We don't use lpcfg_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, ++ NULL, ++ "server schannel require seal", ++ creds->account_name); ++ if (explicit_seal_opt != NULL) { ++ require_seal = lp_bool(explicit_seal_opt); ++ } ++ + /* + * We don't use lpcfg_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -922,6 +954,10 @@ new_state: + s->schannel_required = schannel_required; + s->schannel_explicitly_set = explicit_opt != NULL; + ++ s->seal_global_required = global_require_seal; ++ s->seal_required = require_seal; ++ s->seal_explicitly_set = explicit_seal_opt != NULL; ++ + status = dcesrv_iface_state_store_conn(dce_call, + DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, + s); +@@ -943,6 +979,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + TALLOC_CTX *frame = talloc_stackframe(); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; +@@ -972,18 +1012,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } + + DEBUG(dbg_lvl, ( +- "CVE-2020-1472(ZeroLogon): " ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ ++ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ s->result = NT_STATUS_OK; ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " + "%s request (opnum[%u]) %s schannel from " + "client_account[%s] client_computer_name[%s] %s\n", + opname, opnum, reason, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(s->result))); ++ ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (s->seal_explicitly_set && !s->seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + TALLOC_FREE(frame); + return s->result; + } + + if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (s->schannel_explicitly_set && !s->schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ + s->result = NT_STATUS_OK; + + if (s->schannel_explicitly_set && !s->schannel_required) { +@@ -991,6 +1120,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } else if (!s->schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!s->seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1007,11 +1141,81 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name))); + } ++ if (s->seal_explicitly_set && !s->seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!s->seal_required) { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "Please use 'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } + + TALLOC_FREE(frame); + return s->result; + } + ++ if (s->seal_required) { ++ s->result = NT_STATUS_ACCESS_DENIED; ++ ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (!s->schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } else if (s->schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(s->result))); ++ if (s->seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!s->schannel_explicitly_set) { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } else if (s->schannel_required) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server require schannel:%s = yes' " ++ "also rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } ++ TALLOC_FREE(frame); ++ return s->result; ++ } ++ + if (s->schannel_required) { + s->result = NT_STATUS_ACCESS_DENIED; + +@@ -1020,6 +1224,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); + } ++ if (!s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +@@ -1041,12 +1248,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } ++ if (!s->seal_explicitly_set) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(frame); + return s->result; + } + + s->result = NT_STATUS_OK; + ++ if (s->seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ + if (s->schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +@@ -1062,6 +1282,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca + log_escape(frame, creds->computer_name), + nt_errstr(s->result))); + ++ if (s->seal_explicitly_set) { ++ D_INFO("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Please use " ++ "'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + if (s->schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " +-- +2.39.0 + + +From fe38dc0186d3505db4c105f78dc46c2270c43240 Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Wed, 30 Nov 2022 15:13:47 +0100 +Subject: [PATCH 129/142] CVE-2022-38023 testparm: warn about server/client + schannel != yes + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e) +--- + source3/utils/testparm.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index c673ef71a92..aa990b729d7 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -522,6 +522,27 @@ static int do_global_checks(void) + ret = 1; + } + ++ if (lp_server_schannel() != true) { /* can be 'auto' */ ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'server schannel = yes' (the default). " ++ "Your server is vulernable to \"ZeroLogon\" " ++ "(CVE-2020-1472)\n" ++ "If required use individual " ++ "'server require schannel:COMPUTERACCOUNT$ = no' " ++ "options\n\n"); ++ } ++ if (lp_client_schannel() != true) { /* can be 'auto' */ ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'client schannel = yes' (the default). " ++ "Your server is vulernable to \"ZeroLogon\" " ++ "(CVE-2020-1472)\n" ++ "If required use individual " ++ "'client schannel:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } ++ + return ret; + } + +-- +2.39.0 + + +From c870a61377d0245a3fd25f5d5c8663d965fe469a Mon Sep 17 00:00:00 2001 +From: Stefan Metzmacher +Date: Tue, 6 Dec 2022 13:36:17 +0100 +Subject: [PATCH 130/142] CVE-2022-38023 testparm: warn about unsecure schannel + related options + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Stefan Metzmacher +Reviewed-by: Andrew Bartlett +Reviewed-by: Ralph Boehme +(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb) +--- + source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 61 insertions(+) + +diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c +index aa990b729d7..f9253d323aa 100644 +--- a/source3/utils/testparm.c ++++ b/source3/utils/testparm.c +@@ -532,6 +532,37 @@ static int do_global_checks(void) + "'server require schannel:COMPUTERACCOUNT$ = no' " + "options\n\n"); + } ++ if (lp_allow_nt4_crypto()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'allow nt4 crypto = no' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023 and others!\n" ++ "If required use individual " ++ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' " ++ "options\n\n"); ++ } ++ if (!lp_reject_md5_clients()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'reject md5 clients = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023!\n" ++ "If required use individual " ++ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' " ++ "options\n\n"); ++ } ++ if (!lp_server_schannel_require_seal()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'server schannel require seal = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023!\n" ++ "If required use individual " ++ "'server schannel require seal:COMPUTERACCOUNT$ = no' " ++ "options\n\n"); ++ } ++ + if (lp_client_schannel() != true) { /* can be 'auto' */ + fprintf(stderr, + "WARNING: You have not configured " +@@ -542,6 +573,36 @@ static int do_global_checks(void) + "'client schannel:NETBIOSDOMAIN = no' " + "options\n\n"); + } ++ if (!lp_reject_md5_servers()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'reject md5 servers = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'reject md5 servers:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } ++ if (!lp_require_strong_key()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'require strong key = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'require strong key:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } ++ if (!lp_winbind_sealed_pipes()) { ++ fprintf(stderr, ++ "WARNING: You have not configured " ++ "'winbind sealed pipes = yes' (the default). " ++ "Your server is vulernable to " ++ "CVE-2022-38023\n" ++ "If required use individual " ++ "'winbind sealed pipes:NETBIOSDOMAIN = no' " ++ "options\n\n"); ++ } + + return ret; + } +-- +2.39.0 + + +From 938168a5f7c3225562ed772bf8a9bbecc0badb62 Mon Sep 17 00:00:00 2001 +From: Andreas Schneider +Date: Mon, 12 Sep 2022 16:31:05 +0200 +Subject: [PATCH 131/142] s3:auth: Flush the GETPWSID in memory cache for NTLM + auth + +Example valgrind output: + +==22502== 22,747,002 bytes in 21,049 blocks are possibly lost in loss record 1,075 of 1,075 +==22502== at 0x4C29F73: malloc (vg_replace_malloc.c:309) +==22502== by 0x11D7089C: _talloc_pooled_object (in /usr/lib64/libtalloc.so.2.1.16) +==22502== by 0x9027834: tcopy_passwd (in /usr/lib64/libsmbconf.so.0) +==22502== by 0x6A1E1A3: pdb_copy_sam_account (in /usr/lib64/libsamba-passdb.so.0.27.2) +==22502== by 0x6A28AB7: pdb_getsampwnam (in /usr/lib64/libsamba-passdb.so.0.27.2) +==22502== by 0x65D0BC4: check_sam_security (in /usr/lib64/samba/libauth-samba4.so) +==22502== by 0x65C70F0: ??? (in /usr/lib64/samba/libauth-samba4.so) +==22502== by 0x65C781A: auth_check_ntlm_password (in /usr/lib64/samba/libauth-samba4.so) +==22502== by 0x14E464: ??? (in /usr/sbin/winbindd) +==22502== by 0x151CED: winbind_dual_SamLogon (in /usr/sbin/winbindd) +==22502== by 0x152072: winbindd_dual_pam_auth_crap (in /usr/sbin/winbindd) +==22502== by 0x167DE0: ??? (in /usr/sbin/winbindd) +==22502== by 0x12F29B12: tevent_common_invoke_fd_handler (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F30086: ??? (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x16A243: ??? (in /usr/sbin/winbindd) +==22502== by 0x16AA04: ??? (in /usr/sbin/winbindd) +==22502== by 0x12F29F68: tevent_common_invoke_immediate_handler (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F29F8F: tevent_common_loop_immediate (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F2FE3C: ??? (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F2E056: ??? (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F2925C: _tevent_loop_once (in /usr/lib64/libtevent.so.0.9.39) +==22502== by 0x12F4C7: main (in /usr/sbin/winbindd) + +You can find one for each string in pdb_copy_sam_account(), in total +this already has 67 MB in total for this valgrind run. + +pdb_getsampwnam() -> memcache_add_talloc(NULL, PDB_GETPWSID_CACHE, ...) + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15169 + +Signed-off-by: Andreas Schneider +Reviewed-by: Jeremy Allison + +Autobuild-User(master): Jeremy Allison +Autobuild-Date(master): Fri Sep 16 20:30:31 UTC 2022 on sn-devel-184 + +(cherry picked from commit 9ef2f7345f0d387567fca598cc7008af95598903) +--- + source3/auth/check_samsec.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/source3/auth/check_samsec.c b/source3/auth/check_samsec.c +index 53b6da53dc1..4276c3060ed 100644 +--- a/source3/auth/check_samsec.c ++++ b/source3/auth/check_samsec.c +@@ -24,6 +24,7 @@ + #include "auth.h" + #include "../libcli/auth/libcli_auth.h" + #include "passdb.h" ++#include "lib/util/memcache.h" + + #undef DBGC_CLASS + #define DBGC_CLASS DBGC_AUTH +@@ -487,8 +488,6 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, + nt_status = make_server_info_sam(mem_ctx, sampass, server_info); + unbecome_root(); + +- TALLOC_FREE(sampass); +- + if (!NT_STATUS_IS_OK(nt_status)) { + DEBUG(0,("check_sam_security: make_server_info_sam() failed with '%s'\n", nt_errstr(nt_status))); + goto done; +@@ -507,6 +506,11 @@ NTSTATUS check_sam_security(const DATA_BLOB *challenge, + (*server_info)->nss_token |= user_info->was_mapped; + + done: ++ /* ++ * Always flush the getpwsid cache or this will grow indefinetly for ++ * each NTLM auththentication. ++ */ ++ memcache_flush(NULL, PDB_GETPWSID_CACHE); + TALLOC_FREE(sampass); + data_blob_free(&user_sess_key); + data_blob_free(&lm_sess_key); +-- +2.39.0 + + +From 296612a8c1dda253e1f2c0618f1f8330e2e23b34 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 16:46:15 +0100 +Subject: [PATCH 132/142] CVE-2022-38023 selftest:Samba3: avoid global 'server + schannel = auto' + +Instead of using the generic deprecated option use the specific +server require schannel:COMPUTERACCOUNT = no in order to allow +legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +Reviewed-by: Andreas Schneider +(cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc) +--- + selftest/target/Samba3.pm | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 7034127ef0b..0c14f02be11 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -199,7 +199,6 @@ sub setup_nt4_dc + lanman auth = yes + ntlm auth = yes + raw NTLMv2 auth = yes +- server schannel = auto + + rpc_server:epmapper = external + rpc_server:spoolss = external +@@ -213,6 +212,22 @@ sub setup_nt4_dc + rpc_daemon:spoolssd = fork + rpc_daemon:lsasd = fork + rpc_daemon:fssd = fork ++ ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ + fss: sequence timeout = 1 + check parent directory delete on close = yes + "; +-- +2.39.0 + + +From 1a90fc7cbc4054f9815ffaca710b5bdba0dffd6f Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:33:12 +0100 +Subject: [PATCH 133/142] CVE-2022-38023 s3:rpc_server/netlogon: add + talloc_stackframe() to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++--------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 7f6704adbda..f9b674d0052 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1071,6 +1071,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) + { ++ TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1092,19 +1093,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + + auth_type = p->auth.auth_type; + +- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); ++ TALLOC_FREE(frame); + return NT_STATUS_INTERNAL_ERROR; + } + + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +- talloc_unlink(mem_ctx, lp_ctx); +- + if (!NT_STATUS_IS_OK(status)) { + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return status; + } + +@@ -1125,6 +1126,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1132,13 +1134,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return NT_STATUS_ACCESS_DENIED; + } + +@@ -1157,13 +1161,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1172,24 +1177,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +-- +2.39.0 + + +From d3e503e670501186fcce9702b72cda3b03afc0cf Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 21 Dec 2022 18:17:57 +0100 +Subject: [PATCH 134/142] CVE-2022-38023 s3:rpc_server/netlogon: re-order + checking in netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++----------- + 1 file changed, 19 insertions(+), 21 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index f9b674d0052..b42794eea8d 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1123,13 +1123,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + schannel_required = lp_bool(explicit_opt); + } + +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (!schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) WITH schannel from " ++ "client_account[%s] client_computer_name[%s]\n", ++ opname, opnum, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } ++ if (explicit_opt != NULL && !schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed!?\n", ++ log_escape(frame, creds->account_name)); + } + ++ *creds_out = creds; ++ TALLOC_FREE(frame); ++ return NT_STATUS_OK; ++ } ++ ++ if (schannel_required) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", +@@ -1156,22 +1170,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); +- +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; +- } +- + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " +-- +2.39.0 + + +From 44de3ae0d4b6f1a728124429dfc748c538714a05 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:35:57 +0100 +Subject: [PATCH 135/142] CVE-2022-38023 s3:rpc_server/netlogon: improve + CVE-2020-1472(ZeroLogon) debug messages + +In order to avoid generating useless debug messages during make test, +we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' +and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. + +Review with: git show -w + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------ + 1 file changed, 109 insertions(+), 40 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index b42794eea8d..1d261c9a639 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1078,9 +1078,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + const char *explicit_opt = NULL; + struct loadparm_context *lp_ctx; + struct netlogon_creds_CredentialState *creds = NULL; ++ int CVE_2020_1472_warn_level = DBGLVL_ERR; ++ int CVE_2020_1472_error_level = DBGLVL_ERR; ++ unsigned int dbg_lvl = DBGLVL_DEBUG; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = p->opnum; + const char *opname = ""; ++ const char *reason = ""; + static bool warned_global_once = false; + + if (creds_out != NULL) { +@@ -1092,6 +1097,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; + + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { +@@ -1100,6 +1106,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + return NT_STATUS_INTERNAL_ERROR; + } + ++ CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ smb_panic("Schannel without SIGN/SEAL"); ++ } ++ } else { ++ reason = "WITHOUT"; ++ } ++ + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +@@ -1124,40 +1147,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (!schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); ++ status = NT_STATUS_OK; ++ ++ if (explicit_opt != NULL && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ + if (explicit_opt != NULL && !schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return status; + } + + if (schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name)); ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (explicit_opt != NULL) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (explicit_opt != NULL) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); +- return NT_STATUS_ACCESS_DENIED; ++ return status; + } + + if (!schannel_global_required && !warned_global_once) { +@@ -1170,26 +1222,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + ++ status = NT_STATUS_OK; ++ + if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ ++ if (explicit_opt != NULL) { ++ D_INFO("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server require schannel:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Please use 'server require schannel:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; +-- +2.39.0 + + +From 7e0bfe3db2b4d274b3bf2e5f011ae8207ce6f4ab Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 21 Dec 2022 18:37:05 +0100 +Subject: [PATCH 136/142] CVE-2022-38023 selftest:Samba3: avoid global 'server + schannel = auto' + +Instead of using the generic deprecated option use the specific +server require schannel:COMPUTERACCOUNT = no in order to allow +legacy tests for pass. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + selftest/target/Samba3.pm | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index 0c14f02be11..e8a4c3bbbb6 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -140,7 +140,7 @@ sub getlog_env_app($$$) + close(LOG); + + return "" if $out eq $title; +- ++ + return $out; + } + +@@ -200,6 +200,21 @@ sub setup_nt4_dc + ntlm auth = yes + raw NTLMv2 auth = yes + ++ CVE_2020_1472:warn_about_unused_debug_level = 3 ++ server require schannel:schannel0\$ = no ++ server require schannel:schannel1\$ = no ++ server require schannel:schannel2\$ = no ++ server require schannel:schannel3\$ = no ++ server require schannel:schannel4\$ = no ++ server require schannel:schannel5\$ = no ++ server require schannel:schannel6\$ = no ++ server require schannel:schannel7\$ = no ++ server require schannel:schannel8\$ = no ++ server require schannel:schannel9\$ = no ++ server require schannel:schannel10\$ = no ++ server require schannel:schannel11\$ = no ++ server require schannel:torturetest\$ = no ++ + rpc_server:epmapper = external + rpc_server:spoolss = external + rpc_server:lsarpc = external +@@ -1588,7 +1603,7 @@ sub provision($$$$$$$$$) + my $nmbdsockdir="$prefix_abs/nmbd"; + unlink($nmbdsockdir); + +- ## ++ ## + ## create the test directory layout + ## + die ("prefix_abs = ''") if $prefix_abs eq ""; +@@ -2393,7 +2408,7 @@ sub provision($$$$$$$$$) + unless (open(PASSWD, ">$nss_wrapper_passwd")) { + warn("Unable to open $nss_wrapper_passwd"); + return undef; +- } ++ } + print PASSWD "nobody:x:$uid_nobody:$gid_nobody:nobody gecos:$prefix_abs:/bin/false + $unix_name:x:$unix_uid:$unix_gids[0]:$unix_name gecos:$prefix_abs:/bin/false + pdbtest:x:$uid_pdbtest:$gid_nogroup:pdbtest gecos:$prefix_abs:/bin/false +-- +2.39.0 + + +From 340bdcc92d979eb67d67e2a2d8056f939a011f37 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:42:51 +0100 +Subject: [PATCH 137/142] CVE-2022-38023 s3:rpc_server/netlogon: split out + netr_check_schannel() function + +This will allow us to reuse the function in other places. +As it will also get some additional checks soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++-------- + 1 file changed, 62 insertions(+), 45 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 1d261c9a639..eb364eaf29a 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1064,53 +1064,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, + /************************************************************************* + *************************************************************************/ + +-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) ++static NTSTATUS netr_check_schannel(struct pipes_struct *p, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +- struct loadparm_context *lp_ctx; +- struct netlogon_creds_CredentialState *creds = NULL; +- int CVE_2020_1472_warn_level = DBGLVL_ERR; +- int CVE_2020_1472_error_level = DBGLVL_ERR; ++ int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- uint16_t opnum = p->opnum; + const char *opname = ""; + const char *reason = ""; + static bool warned_global_once = false; + +- if (creds_out != NULL) { +- *creds_out = NULL; +- } +- + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; + } + +- auth_type = p->auth.auth_type; +- auth_level = p->auth.auth_level; +- +- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(0, ("loadparm_init_s3 failed\n")); +- TALLOC_FREE(frame); +- return NT_STATUS_INTERNAL_ERROR; +- } +- +- CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); +- CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +@@ -1123,15 +1100,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + reason = "WITHOUT"; + } + +- status = schannel_check_creds_state(mem_ctx, lp_ctx, +- computer_name, received_authenticator, +- return_authenticator, &creds); +- if (!NT_STATUS_IS_OK(status)) { +- ZERO_STRUCTP(return_authenticator); +- TALLOC_FREE(frame); +- return status; +- } +- + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1172,7 +1140,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return status; + } +@@ -1206,8 +1173,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); + return status; + } +@@ -1261,11 +1226,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + ++static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ struct loadparm_context *lp_ctx = NULL; ++ NTSTATUS status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ uint16_t opnum = p->opnum; ++ ++ if (creds_out != NULL) { ++ *creds_out = NULL; ++ } ++ ++ auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; ++ ++ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ if (lp_ctx == NULL) { ++ DEBUG(0, ("loadparm_init_s3 failed\n")); ++ return NT_STATUS_INTERNAL_ERROR; ++ } ++ ++ status = schannel_check_creds_state(mem_ctx, ++ lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ TALLOC_FREE(lp_ctx); ++ if (!NT_STATUS_IS_OK(status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} + + /************************************************************************* + *************************************************************************/ +-- +2.39.0 + + +From 8b52bfc3bb274d7d1607b505c18b4ccafe25cad7 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 09:29:04 +0100 +Subject: [PATCH 138/142] CVE-2022-38023 s3:rpc_server/netlogon: make sure all + dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel() + +We'll soon add some additional contraints in dcesrv_netr_check_schannel(), +which are also required for dcesrv_netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++----- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index eb364eaf29a..ca343d3e28a 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1766,6 +1766,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + struct auth_serversupplied_info *server_info = NULL; + struct auth_context *auth_context = NULL; + const char *fn; ++ enum dcerpc_AuthType auth_type = p->auth.auth_type; ++ enum dcerpc_AuthLevel auth_level = p->auth.auth_level; + + #ifdef DEBUG_PASSWORD + logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, +@@ -1779,11 +1781,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + switch (p->opnum) { + case NDR_NETR_LOGONSAMLOGON: + fn = "_netr_LogonSamLogon"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONWITHFLAGS: + fn = "_netr_LogonSamLogonWithFlags"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONEX: ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ p->opnum); ++ if (NT_STATUS_IS_ERR(status)) { ++ return status; ++ } ++ + fn = "_netr_LogonSamLogonEx"; + break; + default: +@@ -2123,13 +2146,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + return status; + } + +- /* Only allow this if the pipe is protected. */ +- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", +- get_remote_machine_name() )); +- return NT_STATUS_INVALID_PARAMETER; +- } +- + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); +-- +2.39.0 + + +From 43dca97088ce82a5e346887b8078f346e8249929 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:23:41 +0100 +Subject: [PATCH 139/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename + variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index ca343d3e28a..5500a421334 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1072,9 +1072,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; ++ const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +- const char *explicit_opt = NULL; ++ bool schannel_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, +@@ -1113,11 +1114,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (explicit_opt != NULL) { + schannel_required = lp_bool(explicit_opt); + } ++ schannel_explicitly_set = explicit_opt != NULL; + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + status = NT_STATUS_OK; + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +@@ -1132,7 +1134,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed for '%s'!\n", +@@ -1147,7 +1149,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (schannel_required) { + status = NT_STATUS_ACCESS_DENIED; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1161,7 +1163,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_NOTICE("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = yes' " + "rejects access for client.\n", +@@ -1189,7 +1191,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + + status = NT_STATUS_OK; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1204,7 +1206,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " + "still needed for '%s'!\n", +-- +2.39.0 + + +From 4ae0a15ed4ebde7b1725f9ada406c179de238267 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:39:20 +0100 +Subject: [PATCH 140/142] CVE-2022-38023 s3:rpc_server/netlogon: Return error + on invalid auth level + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 5500a421334..fb5a05b75c8 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1071,7 +1071,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); +- NTSTATUS status; ++ NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED; + const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1095,12 +1095,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + reason = "WITH SIGNED"; + } else { +- smb_panic("Schannel without SIGN/SEAL"); ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ status = NT_STATUS_INTERNAL_ERROR; + } + } else { + reason = "WITHOUT"; + } + ++ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(status)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +-- +2.39.0 + + +From f59b49f3c23a9a7879a6975aa77e9cf2560a68be Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:42:37 +0100 +Subject: [PATCH 141/142] CVE-2022-38023 s3:rpc_server/netlogon: Rename + variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index fb5a05b75c8..fd128a70c8b 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1083,7 +1083,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; +- static bool warned_global_once = false; ++ static bool warned_global_schannel_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1198,14 +1198,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + +- if (!schannel_global_required && !warned_global_once) { ++ if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes', " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; ++ warned_global_schannel_once = true; + } + + status = NT_STATUS_OK; +-- +2.39.0 + + +From 6b038af7f70f0331d85dac00647cfe8dedefec28 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:50:04 +0100 +Subject: [PATCH 142/142] CVE-2022-38023 s3:rpc_server/netlogon: implement + "server schannel require seal[:COMPUTERACCOUNT]" + +By default we'll now require schannel connections with +privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero +--- + selftest/target/Samba3.pm | 14 ++ + source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++- + 2 files changed, 249 insertions(+), 2 deletions(-) + +diff --git a/selftest/target/Samba3.pm b/selftest/target/Samba3.pm +index e8a4c3bbbb6..cf6c38562de 100755 +--- a/selftest/target/Samba3.pm ++++ b/selftest/target/Samba3.pm +@@ -215,6 +215,20 @@ sub setup_nt4_dc + server require schannel:schannel11\$ = no + server require schannel:torturetest\$ = no + ++ server schannel require seal:schannel0\$ = no ++ server schannel require seal:schannel1\$ = no ++ server schannel require seal:schannel2\$ = no ++ server schannel require seal:schannel3\$ = no ++ server schannel require seal:schannel4\$ = no ++ server schannel require seal:schannel5\$ = no ++ server schannel require seal:schannel6\$ = no ++ server schannel require seal:schannel7\$ = no ++ server schannel require seal:schannel8\$ = no ++ server schannel require seal:schannel9\$ = no ++ server schannel require seal:schannel10\$ = no ++ server schannel require seal:schannel11\$ = no ++ server schannel require seal:torturetest\$ = no ++ + rpc_server:epmapper = external + rpc_server:spoolss = external + rpc_server:lsarpc = external +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index fd128a70c8b..38772586d81 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1076,14 +1076,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + bool schannel_explicitly_set = false; ++ bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false; ++ bool seal_required = seal_global_required; ++ bool seal_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1120,6 +1128,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + ++ /* ++ * We don't use lp_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, ++ "server schannel require seal", ++ creds->account_name, ++ NULL); ++ if (explicit_opt != NULL) { ++ seal_required = lp_bool(explicit_opt); ++ } ++ seal_explicitly_set = explicit_opt != NULL; ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1135,7 +1157,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } + schannel_explicitly_set = explicit_opt != NULL; + ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ status = NT_STATUS_OK; ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (seal_explicitly_set && !seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (seal_required) { ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + status = NT_STATUS_OK; + + if (schannel_explicitly_set && !schannel_required) { +@@ -1143,6 +1254,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1152,7 +1268,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- + if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1160,7 +1275,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name))); + } ++ if (seal_explicitly_set && !seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!seal_required) { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "Please use 'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return status; ++ } ++ ++ if (seal_required) { ++ status = NT_STATUS_ACCESS_DENIED; + ++ if (seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (!schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } else if (schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!schannel_explicitly_set) { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } else if (schannel_required) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server require schannel:%s = yes' " ++ "also rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } + TALLOC_FREE(frame); + return status; + } +@@ -1173,6 +1358,9 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); + } ++ if (!seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +@@ -1194,6 +1382,13 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } ++ if (!seal_explicitly_set) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(frame); + return status; + } +@@ -1208,8 +1403,24 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + warned_global_schannel_once = true; + } + ++ if (!seal_global_required && !warned_global_seal_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'server schannel require seal = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_once = true; ++ } ++ + status = NT_STATUS_OK; + ++ if (seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ + if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +@@ -1225,6 +1436,28 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + ++ if (seal_explicitly_set) { ++ D_INFO("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Please use " ++ "'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + if (schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " +@@ -1248,7 +1481,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } + + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return status; + } + + static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +-- +2.39.0 diff --git a/SPECS/samba.spec b/SPECS/samba.spec index fe0f452..2da3891 100644 --- a/SPECS/samba.spec +++ b/SPECS/samba.spec @@ -6,7 +6,7 @@ # ctdb is enabled by default, you can disable it with: --without clustering %bcond_without clustering -%define main_release 20 +%define main_release 24 %define samba_version 4.10.16 %define talloc_version 2.1.16 @@ -3305,6 +3305,12 @@ rm -rf %{buildroot} %endif # with_clustering_support %changelog +* Fri Jan 20 2023 Andreas Schneider - 4.10.16-24 +- related: #2154364 - Add additional patches for CVE-2022-38023 + +* Wed Dec 21 2022 Andreas Schneider - 4.10.16-23 +- resolves: #2154364 - Fix CVE-2022-38023 + * Tue Aug 30 2022 Andreas Schneider - 4.10.16-20 - resolves: #2119058 - Fix possible segfault in winbind