The Samba-Bugzilla – Attachment 12708 Details for
Bug 12445
[SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2016-2125-master.metze01.txt
CVE-2016-2125-master.metze01.txt (text/plain), 3.71 KB, created by
Stefan Metzmacher
on 2016-12-02 15:26:38 UTC
(
hide
)
Description:
CVE-2016-2125-master.metze01.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2016-12-02 15:26:38 UTC
Size:
3.71 KB
patch
obsolete
>From 29a15e6c5c26006987b499b11c40ddaa75287c95 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 23 Nov 2016 11:41:10 +0100 >Subject: [PATCH 1/3] CVE-2016-2125: s4:scripting: don't use GSS_C_DELEG_FLAG > in nsupdate-gss > >This is just an example script that's not directly used by samba, >but we should avoid sending delegated credentials to dns servers. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Simo Sorce <idra@samba.org> >--- > source4/scripting/bin/nsupdate-gss | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/scripting/bin/nsupdate-gss b/source4/scripting/bin/nsupdate-gss >index dec5916..509220d 100755 >--- a/source4/scripting/bin/nsupdate-gss >+++ b/source4/scripting/bin/nsupdate-gss >@@ -178,7 +178,7 @@ sub negotiate_tkey($$$$) > my $flags = > GSS_C_REPLAY_FLAG | GSS_C_MUTUAL_FLAG | > GSS_C_SEQUENCE_FLAG | GSS_C_CONF_FLAG | >- GSS_C_INTEG_FLAG | GSS_C_DELEG_FLAG; >+ GSS_C_INTEG_FLAG; > > > $status = GSSAPI::Cred::acquire_cred(undef, 120, undef, GSS_C_INITIATE, >-- >1.9.1 > > >From d9f460fe91ff37ef59c4b5dc45f7b4d6c086b979 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 23 Nov 2016 11:42:59 +0100 >Subject: [PATCH 2/3] CVE-2016-2125: s3:gse: avoid using GSS_C_DELEG_FLAG > >We should only use GSS_C_DELEG_POLICY_FLAG in order to let >the KDC decide if we should send delegated credentials to >a remote server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Simo Sorce <idra@samba.org> >--- > source3/librpc/crypto/gse.c | 1 - > 1 file changed, 1 deletion(-) > >diff --git a/source3/librpc/crypto/gse.c b/source3/librpc/crypto/gse.c >index d0ae53c..e4ceed1 100644 >--- a/source3/librpc/crypto/gse.c >+++ b/source3/librpc/crypto/gse.c >@@ -142,7 +142,6 @@ static NTSTATUS gse_context_init(TALLOC_CTX *mem_ctx, > memcpy(&gse_ctx->gss_mech, gss_mech_krb5, sizeof(gss_OID_desc)); > > gse_ctx->gss_want_flags = GSS_C_MUTUAL_FLAG | >- GSS_C_DELEG_FLAG | > GSS_C_DELEG_POLICY_FLAG | > GSS_C_REPLAY_FLAG | > GSS_C_SEQUENCE_FLAG; >-- >1.9.1 > > >From 50a46dc040281bd6a206cdd9e189bbaed66691f4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 23 Nov 2016 11:44:22 +0100 >Subject: [PATCH 3/3] CVE-2016-2125: s4:gensec_gssapi: don't use > GSS_C_DELEG_FLAG by default > >This disabled the usage of GSS_C_DELEG_FLAG by default, as >GSS_C_DELEG_POLICY_FLAG is still used by default we let the >KDC decide if we should send delegated credentials to a remote server. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12445 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Alexander Bokovoy <ab@samba.org> >Reviewed-by: Simo Sorce <idra@samba.org> >--- > source4/auth/gensec/gensec_gssapi.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > >diff --git a/source4/auth/gensec/gensec_gssapi.c b/source4/auth/gensec/gensec_gssapi.c >index 18bb011..a37a0a9 100644 >--- a/source4/auth/gensec/gensec_gssapi.c >+++ b/source4/auth/gensec/gensec_gssapi.c >@@ -115,7 +115,7 @@ static NTSTATUS gensec_gssapi_start(struct gensec_security *gensec_security) > if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "mutual", true)) { > gensec_gssapi_state->gss_want_flags |= GSS_C_MUTUAL_FLAG; > } >- if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", true)) { >+ if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "delegation", false)) { > gensec_gssapi_state->gss_want_flags |= GSS_C_DELEG_FLAG; > } > if (gensec_setting_bool(gensec_security->settings, "gensec_gssapi", "replay", true)) { >-- >1.9.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12708">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
jra
:
review+
Actions:
View
Attachments on
bug 12445
:
12707
| 12708 |
12709
|
12710
|
12711
|
12730
|
12732
|
12733
|
12735
|
12736
|
12737
|
12739
|
12766
|
12772