The Samba-Bugzilla – Attachment 16938 Details for
Bug 12444
[SECURITY] CVE-2016-2124: don't fallback to non spnego authentication if we require kerberos in Samba client
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
backport for 4.4
CVE-2016-2124-4.4.patch (text/plain), 4.56 KB, created by
Noel Power
on 2021-11-03 16:46:45 UTC
(
hide
)
Description:
backport for 4.4
Filename:
MIME Type:
Creator:
Noel Power
Created:
2021-11-03 16:46:45 UTC
Size:
4.56 KB
patch
obsolete
>From de9282eacc16227d64f7a3ee421fa6c9cf6cfefa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 24 Nov 2016 09:12:59 +0100 >Subject: [PATCH 1/2] CVE-2016-2124: s4:libcli/sesssetup: don't fallback to non > spnego authentication if we require kerberos > >We should not send NTLM[v2] data on the wire if the user asked for kerberos >only. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source4/libcli/smb_composite/sesssetup.c | 14 ++++++++++++++ > 1 file changed, 14 insertions(+) > >diff --git a/source4/libcli/smb_composite/sesssetup.c b/source4/libcli/smb_composite/sesssetup.c >index 9f989f21f2c..f2dbcd59b0d 100644 >--- a/source4/libcli/smb_composite/sesssetup.c >+++ b/source4/libcli/smb_composite/sesssetup.c >@@ -595,6 +595,8 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se > struct composite_context *c; > struct sesssetup_state *state; > NTSTATUS status; >+ enum credentials_use_kerberos krb5_state = >+ cli_credentials_get_kerberos_state(io->in.credentials); > > c = composite_create(session, session->transport->ev); > if (c == NULL) return NULL; >@@ -609,6 +611,10 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se > > /* no session setup at all in earliest protocol varients */ > if (session->transport->negotiate.protocol < PROTOCOL_LANMAN1) { >+ if (krb5_state == CRED_MUST_USE_KERBEROS) { >+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ return c; >+ } > ZERO_STRUCT(io->out); > composite_done(c); > return c; >@@ -616,9 +622,17 @@ struct composite_context *smb_composite_sesssetup_send(struct smbcli_session *se > > /* see what session setup interface we will use */ > if (session->transport->negotiate.protocol < PROTOCOL_NT1) { >+ if (krb5_state == CRED_MUST_USE_KERBEROS) { >+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ return c; >+ } > status = session_setup_old(c, session, io, &state->req); > } else if (!session->transport->options.use_spnego || > !(io->in.capabilities & CAP_EXTENDED_SECURITY)) { >+ if (krb5_state == CRED_MUST_USE_KERBEROS) { >+ composite_error(c, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ return c; >+ } > status = session_setup_nt1(c, session, io, &state->req); > } else { > status = session_setup_spnego(c, session, io, &state->req); >-- >2.31.1 > > >From 240f4a0ea03be484db6878355a537f494a98fb0b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 27 Oct 2016 10:40:28 +0200 >Subject: [PATCH 2/2] CVE-2016-2124: s3:libsmb: don't fallback to non spnego > authentication if we require kerberos > >We should not send NTLM[v2] nor plaintext data on the wire if the user >asked for kerberos only. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=12444 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >--- > source3/libsmb/cliconnect.c | 26 +++++++++++++++++++++++++- > 1 file changed, 25 insertions(+), 1 deletion(-) > >diff --git a/source3/libsmb/cliconnect.c b/source3/libsmb/cliconnect.c >index 33759d9d87b..b472062b8bb 100644 >--- a/source3/libsmb/cliconnect.c >+++ b/source3/libsmb/cliconnect.c >@@ -2050,7 +2050,15 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, > } > > if (smbXcli_conn_protocol(cli->conn) < PROTOCOL_LANMAN1) { >- tevent_req_done(req); >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ tevent_req_nterror(req, >+ NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ } else { >+ tevent_req_done(req); >+ } > return tevent_req_post(req, ev); > } > >@@ -2076,6 +2084,15 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, > return tevent_req_post(req, ev); > } > >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ tevent_req_nterror(req, >+ NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ return tevent_req_post(req, ev); >+ } >+ > subreq = cli_session_setup_lanman2_send( > state, ev, cli, user, pass, passlen, workgroup); > if (tevent_req_nomem(subreq, req)) { >@@ -2112,6 +2129,13 @@ struct tevent_req *cli_session_setup_send(TALLOC_CTX *mem_ctx, > return req; > } > >+ if (cli->use_kerberos) { >+ DEBUG(1,("Kerberos authentication requested, but " >+ "the server does not support SPNEGO " >+ "authentication\n")); >+ tevent_req_nterror(req, NT_STATUS_NETWORK_CREDENTIAL_CONFLICT); >+ return tevent_req_post(req, ev); >+ } > /* if no user is supplied then we have to do an anonymous connection. > passwords are ignored */ > >-- >2.31.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
asn
:
review-
Actions:
View
Attachments on
bug 12444
:
16890
|
16891
|
16892
|
16893
|
16898
|
16902
|
16935
|
16937
|
16938
|
16939
|
16972
|
16976
|
16981