From ec09516d70fc246e3421929709b8e237b0cc9292 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 24 Nov 2016 09:12:59 +0100 Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher --- source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c index 51e121bdce6b..391ee081fe62 100644 --- a/source4/libcli/smb_composite/sesssetup.c +++ b/source4/libcli/smb_composite/sesssetup.c @@ -622,6 +622,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se NTSTATUS status; enum smb_encryption_setting encryption_state = cli_credentials_get_smb_encryption(io->in.credentials); + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(io->in.credentials); c = composite_create(session, session->transport->ev); if (c == NULL) return NULL; @@ -642,6 +644,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* no session setup at all in earliest protocol varients */ if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } ZERO_STRUCT(io->out); composite_done(c); return c; @@ -649,9 +655,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se /* see what session setup interface we will use */ if (session->transport->negotiate.protocol < PROTOCOL_NT1) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_old(c, session, io, &state->req); } else if (!session->transport->options.use_spnego || !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return c; + } status = session_setup_nt1(c, session, io, &state->req); } else { struct tevent_req *subreq = NULL; -- 2.25.1 From ce3c5ac242391275b2fcc22c98b5b1797662cdb9 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Thu, 27 Oct 2016 10:40:28 +0200 Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego authentication if we require kerberos We should not send NTLM[v2] nor plaintext data on the wire if the user asked for kerberos only. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 Signed-off-by: Stefan Metzmacher --- source3/libsmb/cliconnect.c | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c index 63c505f8ed5e..d894ef76a36b 100644 --- a/source3/libsmb/cliconnect.c +++ b/source3/libsmb/cliconnect.c @@ -1450,6 +1450,8 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, uint32_t in_sess_key = 0; const char *in_native_os = NULL; const char *in_native_lm = NULL; + enum credentials_use_kerberos krb5_state = + cli_credentials_get_kerberos_state(creds); NTSTATUS status; req = tevent_req_create(mem_ctx, &state, @@ -1491,6 +1493,13 @@ struct tevent_req *cli_session_setup_creds_send(TALLOC_CTX *mem_ctx, return req; } + if (krb5_state == CRED_USE_KERBEROS_REQUIRED) { + DBG_WARNING("Kerberos authentication requested, but " + "the server does not support SPNEGO authentication\n"); + tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); + return tevent_req_post(req, ev); + } + if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { /* * SessionSetupAndX was introduced by LANMAN 1.0. So we skip -- 2.25.1