The Samba-Bugzilla – Attachment 16232 Details for
Bug 14497
[CVE-2020-1472] [SECURITY] Samba impact of "ZeroLogon"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
DEFERRED-WIP patch to enforce DCs and trusts to use schannel
0001-CVE-2020-1472-Totally-require-schannel-for-DCs-and-t.patch (text/plain), 2.48 KB, created by
Andrew Bartlett
on 2020-09-17 04:14:54 UTC
(
hide
)
Description:
DEFERRED-WIP patch to enforce DCs and trusts to use schannel
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2020-09-17 04:14:54 UTC
Size:
2.48 KB
patch
obsolete
>From 77aa1bdc8e92aa41ccb190c89f1c0b05923da2b8 Mon Sep 17 00:00:00 2001 >From: Andrew Bartlett <abartlet@samba.org> >Date: Thu, 17 Sep 2020 14:39:31 +1200 >Subject: [PATCH] CVE-2020-1472: Totally require schannel for DCs and trusted > domains > >This matches new Microsoft behaviour. > >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++-------- > 1 file changed, 22 insertions(+), 14 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 0007f219b3c..dfb45160f23 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -623,7 +623,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > { > NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); >- bool schannel_required = (schannel == true); >+ bool schannel_required = true; > struct netlogon_creds_CredentialState *creds = NULL; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > uint16_t opnum = dce_call->pkt.u.request.opnum; >@@ -646,19 +646,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return nt_status; > } > >- schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, >- NULL, >- "server require schannel", >- creds->account_name, >- schannel_required); >- if (schannel_required && schannel != true) { >- /* >- * We want admins to notice there misconfiguration! >- */ >- DBG_ERR("CVE-2020-1472(ZeroLogin): " >- "Please configure 'server schannel = yes' when " >- "using 'server require schannel:%s = yes'\n", >- log_escape(mem_ctx, creds->account_name)); >+ /* >+ * Due to CVE-2020-1472 we must not allow DCs and trusted >+ * domains to be impersonated without schannel >+ */ >+ if (creds->secure_channel_type == SEC_CHAN_WKSTA) { >+ schannel_required = (schannel == true); >+ >+ schannel_required = lpcfg_parm_bool(dce_call->conn->dce_ctx->lp_ctx, >+ NULL, >+ "server require schannel", >+ creds->account_name, >+ schannel_required); >+ if (schannel_required && schannel != true) { >+ /* >+ * We want admins to notice there misconfiguration! >+ */ >+ DBG_ERR("CVE-2020-1472(ZeroLogin): " >+ "Please configure 'server schannel = yes' when " >+ "using 'server require schannel:%s = yes'\n", >+ log_escape(mem_ctx, creds->account_name)); >+ } > } > > if (schannel_required) { >-- >2.25.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=16232">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 14497
:
16228
|
16229
|
16230
|
16231
| 16232 |
16233
|
16234
|
16235
|
16236
|
16237
|
16238
|
16239
|
16240
|
16241
|
16242
|
16243
|
16244
|
16245
|
16246
|
16247
|
16248
|
16249
|
16250
|
16251
|
16268
|
16269