The Samba-Bugzilla – Attachment 17698 Details for
Bug 15240
CVE-2022-38023 [SECURITY] Samba should refuse RC4 (aka md5) based SChannel on NETLOGON
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
bfixes-CVE-2022-38023-v4-15.txt
bfixes-CVE-2022-38023-v4-15.txt (text/plain), 160.40 KB, created by
Stefan Metzmacher
on 2022-12-13 23:55:44 UTC
(
hide
)
Description:
bfixes-CVE-2022-38023-v4-15.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-13 23:55:44 UTC
Size:
160.40 KB
patch
obsolete
>From 1040fa4c23509234af5ca5bf4c190c80183d39b4 Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Tue, 6 Dec 2022 16:00:36 +0100 >Subject: [PATCH 01/29] CVE-2022-38023 docs-xml: improve wording for several > options: "takes precedence" -> "overrides" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9) >--- > docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +- > docs-xml/smbdotconf/security/serverschannel.xml | 2 +- > docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +- > docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- > 4 files changed, 4 insertions(+), 4 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >index 41684ef10805..0bb9f6f6c8ec 100644 >--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml >+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >@@ -10,7 +10,7 @@ > <para>You can set this to yes if all domain members support aes. > This will prevent downgrade attacks.</para> > >- <para>This option takes precedence to the 'allow nt4 crypto' option.</para> >+ <para>This option overrides the 'allow nt4 crypto' option.</para> > </description> > > <value type="default">no</value> >diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml >index b682d086f76b..79e4e73a95c9 100644 >--- a/docs-xml/smbdotconf/security/serverschannel.xml >+++ b/docs-xml/smbdotconf/security/serverschannel.xml >@@ -59,7 +59,7 @@ > See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 > </para> > >- <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para> >+ <para>This option overrides the <smbconfoption name="server schannel"/> option.</para> > > <programlisting> > server require schannel:LEGACYCOMPUTER1$ = no >diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >index 37656293aa47..151b4676c57b 100644 >--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >@@ -15,7 +15,7 @@ > <para>The behavior can be controlled per netbios domain > by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para> > >- <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para> >+ <para>This option overrides the <smbconfoption name="require strong key"/> option.</para> > </description> > > <value type="default">no</value> >diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml >index 4db62bfb02db..b17620ec8f1d 100644 >--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml >+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml >@@ -19,7 +19,7 @@ > > <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para> > >- <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para> >+ <para>This option overrides the <smbconfoption name="client schannel"/> option.</para> > </description> > > <value type="default">yes</value> >-- >2.34.1 > > >From ddafd6dc7706e74e74ce96039ac8006b9b2e05ad Mon Sep 17 00:00:00 2001 >From: Ralph Boehme <slow@samba.org> >Date: Tue, 6 Dec 2022 16:05:26 +0100 >Subject: [PATCH 02/29] CVE-2022-38023 docs-xml: improve wording for several > options: "yields precedence" -> "is over-riden" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Ralph Boehme <slow@samba.org> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251) >--- > docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +- > docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +- > docs-xml/smbdotconf/security/clientschannel.xml | 2 +- > docs-xml/smbdotconf/security/serverschannel.xml | 2 +- > docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +- > 5 files changed, 5 insertions(+), 5 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml >index 03dc8fa93f72..06afcef73b1b 100644 >--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml >+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml >@@ -18,7 +18,7 @@ > > <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> > >- <para>This option yields precedence to the 'reject md5 clients' option.</para> >+ <para>This option is over-ridden by the 'reject md5 clients' option.</para> > </description> > > <value type="default">no</value> >diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml >index 03531adbfb36..8bccab391cc2 100644 >--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml >+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml >@@ -15,7 +15,7 @@ > <para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc, > winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para> > >- <para>This option yields precedence to the implementation specific restrictions. >+ <para>This option is over-ridden by the implementation specific restrictions. > E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY. > The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY. > </para> >diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml >index 5b07da95050c..d124ad481818 100644 >--- a/docs-xml/smbdotconf/security/clientschannel.xml >+++ b/docs-xml/smbdotconf/security/clientschannel.xml >@@ -23,7 +23,7 @@ > <para>Note that for active directory domains this is hardcoded to > <smbconfoption name="client schannel">yes</smbconfoption>.</para> > >- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para> >+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para> > </description> > <value type="default">yes</value> > <value type="example">auto</value> >diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml >index 79e4e73a95c9..3e66df1c2032 100644 >--- a/docs-xml/smbdotconf/security/serverschannel.xml >+++ b/docs-xml/smbdotconf/security/serverschannel.xml >@@ -23,7 +23,7 @@ > <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. > </para> > >- <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> >+ <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> > > </description> > >diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml >index b17620ec8f1d..9c1c1d7af148 100644 >--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml >+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml >@@ -17,7 +17,7 @@ > > <para>Note for active directory domain this option is hardcoded to 'yes'</para> > >- <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para> >+ <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para> > > <para>This option overrides the <smbconfoption name="client schannel"/> option.</para> > </description> >-- >2.34.1 > > >From deffd8ea00fecbbf61c4a26279176fe0ae3fe438 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 14:46:59 +0100 >Subject: [PATCH 03/29] CVE-2022-38023 libcli/auth: pass lp_ctx to > netlogon_creds_cli_set_global_db() > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209) >--- > libcli/auth/netlogon_creds_cli.c | 3 ++- > libcli/auth/netlogon_creds_cli.h | 2 +- > source3/rpc_client/cli_netlogon.c | 2 +- > source3/utils/destroy_netlogon_creds_cli.c | 2 +- > 4 files changed, 5 insertions(+), 4 deletions(-) > >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index b23dddc21be0..f8b7bc2133ed 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -201,7 +201,8 @@ static NTSTATUS netlogon_creds_cli_context_common( > > static struct db_context *netlogon_creds_cli_global_db; > >-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db) >+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, >+ struct db_context **db) > { > if (netlogon_creds_cli_global_db != NULL) { > return NT_STATUS_INVALID_PARAMETER_MIX; >diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h >index 7fb41872c36c..3e401dabe9c3 100644 >--- a/libcli/auth/netlogon_creds_cli.h >+++ b/libcli/auth/netlogon_creds_cli.h >@@ -31,7 +31,7 @@ struct messaging_context; > struct dcerpc_binding_handle; > struct db_context; > >-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db); >+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db); > NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); > void netlogon_creds_cli_close_global_db(void); > >diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c >index 50dae9d7f3eb..18664e8b91af 100644 >--- a/source3/rpc_client/cli_netlogon.c >+++ b/source3/rpc_client/cli_netlogon.c >@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void) > return NT_STATUS_NO_MEMORY; > } > >- status = netlogon_creds_cli_set_global_db(&global_db); >+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); > TALLOC_FREE(frame); > if (!NT_STATUS_IS_OK(status)) { > return status; >diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c >index f28cad527dfb..a2e1952e434c 100644 >--- a/source3/utils/destroy_netlogon_creds_cli.c >+++ b/source3/utils/destroy_netlogon_creds_cli.c >@@ -82,7 +82,7 @@ int main(int argc, const char *argv[]) > goto done; > } > >- status = netlogon_creds_cli_set_global_db(&global_db); >+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db); > if (!NT_STATUS_IS_OK(status)) { > fprintf(stderr, > "netlogon_creds_cli_set_global_db failed: %s\n", >-- >2.34.1 > > >From ae1f4644245237fe76bb162af8e95c42903e4eca Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 14:47:33 +0100 >Subject: [PATCH 04/29] CVE-2022-38023 libcli/auth: add/use > netlogon_creds_cli_warn_options() > >This warns the admin about insecure options > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> > >(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800) >[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to > getpid()] >--- > libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++ > libcli/auth/netlogon_creds_cli.h | 2 + > 2 files changed, 68 insertions(+) > >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index f8b7bc2133ed..3c3908ea735b 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db; > NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, > struct db_context **db) > { >+ netlogon_creds_cli_warn_options(lp_ctx); >+ > if (netlogon_creds_cli_global_db != NULL) { > return NT_STATUS_INVALID_PARAMETER_MIX; > } >@@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx) > struct db_context *global_db; > int hash_size, tdb_flags; > >+ netlogon_creds_cli_warn_options(lp_ctx); >+ > if (netlogon_creds_cli_global_db != NULL) { > return NT_STATUS_OK; > } >@@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void) > TALLOC_FREE(netlogon_creds_cli_global_db); > } > >+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) >+{ >+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx); >+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); >+ int global_client_schannel = lpcfg_client_schannel(lp_ctx); >+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); >+ static bool warned_global_reject_md5_servers = false; >+ static bool warned_global_require_strong_key = false; >+ static bool warned_global_client_schannel = false; >+ static bool warned_global_seal_secure_channel = false; >+ static int warned_global_pid = 0; >+ int current_pid = getpid(); >+ >+ if (warned_global_pid != current_pid) { >+ warned_global_reject_md5_servers = false; >+ warned_global_require_strong_key = false; >+ warned_global_client_schannel = false; >+ warned_global_seal_secure_channel = false; >+ warned_global_pid = current_pid; >+ } >+ >+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'reject md5 servers = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_reject_md5_servers = true; >+ } >+ >+ if (!global_require_strong_key && !warned_global_require_strong_key) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'require strong key = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_require_strong_key = true; >+ } >+ >+ if (global_client_schannel != true && !warned_global_client_schannel) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'client schannel = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_client_schannel = true; >+ } >+ >+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ DBG_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'winbind sealed pipes = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_seal_secure_channel = true; >+ } >+} >+ > NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, > struct messaging_context *msg_ctx, > const char *client_account, >diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h >index 3e401dabe9c3..fed3e77fa58a 100644 >--- a/libcli/auth/netlogon_creds_cli.h >+++ b/libcli/auth/netlogon_creds_cli.h >@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc > NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx); > void netlogon_creds_cli_close_global_db(void); > >+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx); >+ > NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, > struct messaging_context *msg_ctx, > const char *client_account, >-- >2.34.1 > > >From 4dc0b8d0a89b0aea865f8508ca3f0d68f50c6f12 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 16:16:05 +0100 >Subject: [PATCH 05/29] CVE-2022-38023 s3:net: add and use > net_warn_member_options() helper > >This makes sure domain member related 'net' commands print warnings >about unsecure smb.conf options. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a) >--- > source3/utils/net.c | 6 ++++++ > source3/utils/net_ads.c | 14 ++++++++++++++ > source3/utils/net_dom.c | 2 ++ > source3/utils/net_join.c | 2 ++ > source3/utils/net_offlinejoin.c | 2 ++ > source3/utils/net_proto.h | 2 ++ > source3/utils/net_rpc.c | 10 ++++++++++ > source3/utils/net_util.c | 14 ++++++++++++++ > 8 files changed, 52 insertions(+) > >diff --git a/source3/utils/net.c b/source3/utils/net.c >index e1e14743c117..b96d7f5d9d48 100644 >--- a/source3/utils/net.c >+++ b/source3/utils/net.c >@@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param) > > static int net_changetrustpw(struct net_context *c, int argc, const char **argv) > { >+ net_warn_member_options(); >+ > if (net_ads_check_our_domain(c) == 0) > return net_ads_changetrustpw(c, argc, argv); > >@@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc, > return 1; > } > >+ net_warn_member_options(); >+ > if (c->opt_stdin) { > set_line_buffering(stdin); > set_line_buffering(stdout); >@@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc, > return 1; > } > >+ net_warn_member_options(); >+ > if(c->opt_force) { > struct secrets_domain_info1 *info = NULL; > struct secrets_domain_info1_change *prev = NULL; >diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c >index c41fb0afe9c9..0764b4d53cbd 100644 >--- a/source3/utils/net_ads.c >+++ b/source3/utils/net_ads.c >@@ -1312,6 +1312,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > if (!ADS_ERR_OK(ads_startup(c, true, &ads))) { > return -1; > } >@@ -1453,6 +1455,8 @@ static NTSTATUS net_ads_join_ok(struct net_context *c) > return NT_STATUS_ACCESS_DENIED; > } > >+ net_warn_member_options(); >+ > net_use_krb_machine_account(c); > > get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip); >@@ -1483,6 +1487,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > /* Display success or failure */ > status = net_ads_join_ok(c); > if (!NT_STATUS_IS_OK(status)) { >@@ -1868,6 +1874,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv) > if (c->display_usage) > return net_ads_join_usage(c, argc, argv); > >+ net_warn_member_options(); >+ > if (!modify_config) { > > werr = check_ads_config(); >@@ -2802,6 +2810,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv) > return -1; > } > >+ net_warn_member_options(); >+ > net_use_krb_machine_account(c); > > use_in_memory_ccache(); >@@ -3075,6 +3085,8 @@ static int net_ads_keytab_add(struct net_context *c, > return 0; > } > >+ net_warn_member_options(); >+ > d_printf(_("Processing principals to add...\n")); > > if (!c->opt_user_specified && c->opt_password == NULL) { >@@ -3119,6 +3131,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a > return 0; > } > >+ net_warn_member_options(); >+ > if (!c->opt_user_specified && c->opt_password == NULL) { > net_use_krb_machine_account(c); > } >diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c >index 13e65a933142..4b48e1566bc8 100644 >--- a/source3/utils/net_dom.c >+++ b/source3/utils/net_dom.c >@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv) > return net_dom_usage(c, argc, argv); > } > >+ net_warn_member_options(); >+ > if (c->opt_host) { > server_name = c->opt_host; > } >diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c >index 1493dff74d7b..f67f08f79a81 100644 >--- a/source3/utils/net_join.c >+++ b/source3/utils/net_join.c >@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > if (net_ads_check_our_domain(c) == 0) { > if (net_ads_join(c, argc, argv) == 0) > return 0; >diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c >index ef56ba9fce80..02c2a48eb14f 100644 >--- a/source3/utils/net_offlinejoin.c >+++ b/source3/utils/net_offlinejoin.c >@@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv) > return -1; > } > >+ net_warn_member_options(); >+ > status = libnetapi_net_init(&c->netapi_ctx); > if (status != 0) { > return -1; >diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h >index eea7cc9426f0..29d4f48f106c 100644 >--- a/source3/utils/net_proto.h >+++ b/source3/utils/net_proto.h >@@ -431,6 +431,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv, > const char *whoami, struct functable *table); > void net_display_usage_from_functable(struct functable *table); > >+void net_warn_member_options(void); >+ > const char *net_share_type_str(int num_type); > > NTSTATUS net_scan_dc(struct net_context *c, >diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c >index 279b831f1483..ff6e3f78e9f0 100644 >--- a/source3/utils/net_rpc.c >+++ b/source3/utils/net_rpc.c >@@ -377,6 +377,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > mem_ctx = talloc_init("net_rpc_oldjoin"); > if (!mem_ctx) { > return -1; >@@ -496,6 +498,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > mem_ctx = talloc_init("net_rpc_testjoin"); > if (!mem_ctx) { > return -1; >@@ -570,6 +574,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a > return 0; > } > >+ net_warn_member_options(); >+ > mem_ctx = talloc_init("net_rpc_join_newstyle"); > if (!mem_ctx) { > return -1; >@@ -691,6 +697,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv) > return -1; > } > >+ net_warn_member_options(); >+ > if (strlen(lp_netbios_name()) > 15) { > d_printf(_("Our netbios name can be at most 15 chars long, " > "\"%s\" is %u chars long\n"), >@@ -821,6 +829,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv) > return 0; > } > >+ net_warn_member_options(); >+ > return run_rpc_command(c, NULL, &ndr_table_samr, > NET_FLAGS_PDC, rpc_info_internals, > argc, argv); >diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c >index 298d9a64dc0c..f3b7755063bf 100644 >--- a/source3/utils/net_util.c >+++ b/source3/utils/net_util.c >@@ -31,6 +31,7 @@ > #include "libsmb/libsmb.h" > #include "lib/param/param.h" > #include "auth/gensec/gensec.h" >+#include "libcli/auth/netlogon_creds_cli.h" > #include "lib/cmdline/cmdline.h" > > NTSTATUS net_rpc_lookup_name(struct net_context *c, >@@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table) > } > } > >+void net_warn_member_options(void) >+{ >+ TALLOC_CTX *frame = talloc_stackframe(); >+ struct loadparm_context *lp_ctx = NULL; >+ >+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); >+ if (lp_ctx != NULL) { >+ netlogon_creds_cli_warn_options(lp_ctx); >+ } >+ >+ TALLOC_FREE(frame); >+} >+ > const char *net_share_type_str(int num_type) > { > switch(num_type) { >-- >2.34.1 > > >From f1cb8950583c12eaa5cbe907d0b16923f7187541 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 14:59:36 +0100 >Subject: [PATCH 06/29] CVE-2022-38023 s3:winbindd: also allow per domain > "winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN" > >This avoids advising insecure defaults for the global options. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef) >--- > source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++------- > 1 file changed, 33 insertions(+), 8 deletions(-) > >diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c >index 0c4a3cc35933..ff5dc22f52c3 100644 >--- a/source3/winbindd/winbindd_cm.c >+++ b/source3/winbindd/winbindd_cm.c >@@ -2447,6 +2447,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > bool retry = false; /* allow one retry attempt for expired session */ > const char *remote_name = NULL; > const struct sockaddr_storage *remote_sockaddr = NULL; >+ bool sealed_pipes = true; >+ bool strong_key = true; > > if (sid_check_is_our_sam(&domain->sid)) { > if (domain->rodc == false || need_rw_dc == false) { >@@ -2626,14 +2628,24 @@ retry: > > anonymous: > >+ sealed_pipes = lp_winbind_sealed_pipes(); >+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", >+ domain->name, >+ sealed_pipes); >+ strong_key = lp_require_strong_key(); >+ strong_key = lp_parm_bool(-1, "require strong key", >+ domain->name, >+ strong_key); >+ > /* Finally fall back to anonymous. */ >- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { >+ if (sealed_pipes || strong_key) { > status = NT_STATUS_DOWNGRADE_DETECTED; > DEBUG(1, ("Unwilling to make SAMR connection to domain %s " > "without connection level security, " >- "must set 'winbind sealed pipes = false' and " >- "'require strong key = false' to proceed: %s\n", >- domain->name, nt_errstr(status))); >+ "must set 'winbind sealed pipes:%s = false' and " >+ "'require strong key:%s = false' to proceed: %s\n", >+ domain->name, domain->name, domain->name, >+ nt_errstr(status))); > goto done; > } > status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr, >@@ -2790,6 +2802,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, > bool retry = false; /* allow one retry attempt for expired session */ > const char *remote_name = NULL; > const struct sockaddr_storage *remote_sockaddr = NULL; >+ bool sealed_pipes = true; >+ bool strong_key = true; > > retry: > result = init_dc_connection_rpc(domain, false); >@@ -2951,13 +2965,24 @@ retry: > goto done; > } > >- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) { >+ sealed_pipes = lp_winbind_sealed_pipes(); >+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes", >+ domain->name, >+ sealed_pipes); >+ strong_key = lp_require_strong_key(); >+ strong_key = lp_parm_bool(-1, "require strong key", >+ domain->name, >+ strong_key); >+ >+ /* Finally fall back to anonymous. */ >+ if (sealed_pipes || strong_key) { > result = NT_STATUS_DOWNGRADE_DETECTED; > DEBUG(1, ("Unwilling to make LSA connection to domain %s " > "without connection level security, " >- "must set 'winbind sealed pipes = false' and " >- "'require strong key = false' to proceed: %s\n", >- domain->name, nt_errstr(result))); >+ "must set 'winbind sealed pipes:%s = false' and " >+ "'require strong key:%s = false' to proceed: %s\n", >+ domain->name, domain->name, domain->name, >+ nt_errstr(result))); > goto done; > } > >-- >2.34.1 > > >From 18bcf0b6496d4ed9d76d23f82674935bd275dc3b Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 24 Nov 2022 18:22:23 +0100 >Subject: [PATCH 07/29] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 > servers' default to yes > >AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no >reason to allow md5 servers by default. > >Note the change in netlogon_creds_cli_context_global() is only cosmetic, >but avoids confusion while reading the code. Check with: > > git show -U35 libcli/auth/netlogon_creds_cli.c > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584) >--- > docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++-- > lib/param/loadparm.c | 1 + > libcli/auth/netlogon_creds_cli.c | 4 ++-- > source3/param/loadparm.c | 1 + > 4 files changed, 9 insertions(+), 4 deletions(-) > >diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >index 151b4676c57b..3bc4eaf7b02e 100644 >--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml >@@ -13,10 +13,13 @@ > This will prevent downgrade attacks.</para> > > <para>The behavior can be controlled per netbios domain >- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para> >+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para> >+ >+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023, >+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para> > > <para>This option overrides the <smbconfoption name="require strong key"/> option.</para> > </description> > >-<value type="default">no</value> >+<value type="default">yes</value> > </samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index 151fe167b26e..dfcc27ea68b6 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2665,6 +2665,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True"); > lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False"); > lpcfg_do_global_parameter(lp_ctx, "require strong key", "True"); >+ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True"); > lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR); > lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR); > lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR); >diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c >index 3c3908ea735b..df5f8a0fbfa5 100644 >--- a/libcli/auth/netlogon_creds_cli.c >+++ b/libcli/auth/netlogon_creds_cli.c >@@ -340,8 +340,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, > const char *client_computer; > uint32_t proposed_flags; > uint32_t required_flags = 0; >- bool reject_md5_servers = false; >- bool require_strong_key = false; >+ bool reject_md5_servers = true; >+ bool require_strong_key = true; > int require_sign_or_seal = true; > bool seal_secure_channel = true; > enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index b56fd20e410c..f934d48498c0 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -664,6 +664,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > Globals.client_schannel = true; > Globals.winbind_sealed_pipes = true; > Globals.require_strong_key = true; >+ Globals.reject_md5_servers = true; > Globals.server_schannel = true; > Globals.read_raw = true; > Globals.write_raw = true; >-- >2.34.1 > > >From de121d6c613c6e83e49f2622391d1705077646a4 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Dec 2022 10:56:29 +0100 >Subject: [PATCH 08/29] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel > != yes' warning to dcesrv_interface_netlogon_bind > >This will simplify the following changes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++-------- > 1 file changed, 15 insertions(+), 11 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 6f5a6e500db4..010c3e136779 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -62,6 +62,21 @@ > static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context, > const struct dcesrv_interface *iface) > { >+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; >+ int schannel = lpcfg_server_schannel(lp_ctx); >+ bool schannel_global_required = (schannel == true); >+ static bool warned_global_schannel_once = false; >+ >+ if (!schannel_global_required && !warned_global_schannel_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ D_ERR("CVE-2020-1472(ZeroLogon): " >+ "Please configure 'server schannel = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); >+ warned_global_schannel_once = true; >+ } >+ > return dcesrv_interface_bind_reject_connect(context, iface); > } > >@@ -627,7 +642,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > uint16_t opnum = dce_call->pkt.u.request.opnum; > const char *opname = "<unknown>"; >- static bool warned_global_once = false; > > if (opnum < ndr_table_netlogon.num_calls) { > opname = ndr_table_netlogon.calls[opnum].name; >@@ -679,16 +693,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return NT_STATUS_ACCESS_DENIED; > } > >- if (!schannel_global_required && !warned_global_once) { >- /* >- * We want admins to notice their misconfiguration! >- */ >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "Please configure 'server schannel = yes', " >- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); >- warned_global_once = true; >- } >- > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > DBG_ERR("CVE-2020-1472(ZeroLogon): " > "%s request (opnum[%u]) WITH schannel from " >-- >2.34.1 > > >From 9669a41693b8da410cf57e21f2de7c7e6e4c4235 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 12 Dec 2022 14:03:50 +0100 >Subject: [PATCH 09/29] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx > variable to dcesrv_netr_creds_server_step_check() > >This will simplify the following changes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++--- > 1 file changed, 4 insertions(+), 3 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 010c3e136779..b85d2253d3c4 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -633,8 +633,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > struct netr_Authenticator *return_authenticator, > struct netlogon_creds_CredentialState **creds_out) > { >+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; > NTSTATUS nt_status; >- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx); >+ int schannel = lpcfg_server_schannel(lp_ctx); > bool schannel_global_required = (schannel == true); > bool schannel_required = schannel_global_required; > const char *explicit_opt = NULL; >@@ -650,7 +651,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > dcesrv_call_auth_info(dce_call, &auth_type, NULL); > > nt_status = schannel_check_creds_state(mem_ctx, >- dce_call->conn->dce_ctx->lp_ctx, >+ lp_ctx, > computer_name, > received_authenticator, > return_authenticator, >@@ -665,7 +666,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > * need the explicit_opt pointer in order to > * adjust the debug messages. > */ >- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx, >+ explicit_opt = lpcfg_get_parametric(lp_ctx, > NULL, > "server require schannel", > creds->account_name); >-- >2.34.1 > > >From b9269801ed6bc034da924cdedd0b6a2938a1379f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 12 Dec 2022 14:03:50 +0100 >Subject: [PATCH 10/29] CVE-2022-38023 s4:rpc_server/netlogon: add > talloc_stackframe() to dcesrv_netr_creds_server_step_check() > >This will simplify the following changes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++-------- > 1 file changed, 19 insertions(+), 13 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index b85d2253d3c4..5dfd84d939d9 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -634,6 +634,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > struct netlogon_creds_CredentialState **creds_out) > { > struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; >+ TALLOC_CTX *frame = talloc_stackframe(); > NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(lp_ctx); > bool schannel_global_required = (schannel == true); >@@ -677,6 +678,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > if (schannel_required) { > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > *creds_out = creds; >+ TALLOC_FREE(frame); > return NT_STATUS_OK; > } > >@@ -684,13 +686,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > "%s request (opnum[%u]) without schannel from " > "client_account[%s] client_computer_name[%s]\n", > opname, opnum, >- log_escape(mem_ctx, creds->account_name), >- log_escape(mem_ctx, creds->computer_name)); >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); > DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >- "'server require schannel:%s = no' is needed! \n", >- log_escape(mem_ctx, creds->account_name)); >+ "'server require schannel:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name)); > TALLOC_FREE(creds); > ZERO_STRUCTP(return_authenticator); >+ TALLOC_FREE(frame); > return NT_STATUS_ACCESS_DENIED; > } > >@@ -699,13 +703,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > "%s request (opnum[%u]) WITH schannel from " > "client_account[%s] client_computer_name[%s]\n", > opname, opnum, >- log_escape(mem_ctx, creds->account_name), >- log_escape(mem_ctx, creds->computer_name)); >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); > DBG_ERR("CVE-2020-1472(ZeroLogon): " > "Option 'server require schannel:%s = no' not needed!?\n", >- log_escape(mem_ctx, creds->account_name)); >+ log_escape(frame, creds->account_name)); > > *creds_out = creds; >+ TALLOC_FREE(frame); > return NT_STATUS_OK; > } > >@@ -715,24 +720,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > "%s request (opnum[%u]) without schannel from " > "client_account[%s] client_computer_name[%s]\n", > opname, opnum, >- log_escape(mem_ctx, creds->account_name), >- log_escape(mem_ctx, creds->computer_name)); >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); > DBG_INFO("CVE-2020-1472(ZeroLogon): " > "Option 'server require schannel:%s = no' still needed!\n", >- log_escape(mem_ctx, creds->account_name)); >+ log_escape(frame, creds->account_name)); > } else { > DBG_ERR("CVE-2020-1472(ZeroLogon): " > "%s request (opnum[%u]) without schannel from " > "client_account[%s] client_computer_name[%s]\n", > opname, opnum, >- log_escape(mem_ctx, creds->account_name), >- log_escape(mem_ctx, creds->computer_name)); >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); > DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " > "'server require schannel:%s = no' might be needed!\n", >- log_escape(mem_ctx, creds->account_name)); >+ log_escape(frame, creds->account_name)); > } > > *creds_out = creds; >+ TALLOC_FREE(frame); > return NT_STATUS_OK; > } > >-- >2.34.1 > > >From 643b4c1b95e40e46af14afa60aa42b0fcf1cf446 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 12:37:03 +0100 >Subject: [PATCH 11/29] CVE-2022-38023 s4:rpc_server/netlogon: re-order > checking in dcesrv_netr_creds_server_step_check() > >This will simplify the following changes. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++---------- > 1 file changed, 19 insertions(+), 22 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 5dfd84d939d9..637be93dacc9 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -675,13 +675,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > schannel_required = lp_bool(explicit_opt); > } > >- if (schannel_required) { >- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- *creds_out = creds; >- TALLOC_FREE(frame); >- return NT_STATUS_OK; >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ if (!schannel_required) { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) WITH schannel from " >+ "client_account[%s] client_computer_name[%s]\n", >+ opname, opnum, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); >+ } >+ if (explicit_opt != NULL && !schannel_required) { >+ DBG_ERR("CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' not needed!?\n", >+ log_escape(frame, creds->account_name)); > } > >+ *creds_out = creds; >+ TALLOC_FREE(frame); >+ return NT_STATUS_OK; >+ } >+ >+ if (schannel_required) { > DBG_ERR("CVE-2020-1472(ZeroLogon): " > "%s request (opnum[%u]) without schannel from " > "client_account[%s] client_computer_name[%s]\n", >@@ -698,23 +712,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > return NT_STATUS_ACCESS_DENIED; > } > >- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "%s request (opnum[%u]) WITH schannel from " >- "client_account[%s] client_computer_name[%s]\n", >- opname, opnum, >- log_escape(frame, creds->account_name), >- log_escape(frame, creds->computer_name)); >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "Option 'server require schannel:%s = no' not needed!?\n", >- log_escape(frame, creds->account_name)); >- >- *creds_out = creds; >- TALLOC_FREE(frame); >- return NT_STATUS_OK; >- } >- >- > if (explicit_opt != NULL) { > DBG_INFO("CVE-2020-1472(ZeroLogon): " > "%s request (opnum[%u]) without schannel from " >-- >2.34.1 > > >From e02e8ad46b02a4c16f575b6371eea8ea66dee067 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 12:37:03 +0100 >Subject: [PATCH 12/29] CVE-2022-38023 s4:rpc_server/netlogon: improve > CVE-2020-1472(ZeroLogon) debug messages > >In order to avoid generating useless debug messages during make test, >we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' >and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. > >Review with: git show -w > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++----- > 1 file changed, 106 insertions(+), 41 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 637be93dacc9..d4bbb1261c3a 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -641,15 +641,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > bool schannel_required = schannel_global_required; > const char *explicit_opt = NULL; > struct netlogon_creds_CredentialState *creds = NULL; >+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); >+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); >+ unsigned int dbg_lvl = DBGLVL_DEBUG; > enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; > uint16_t opnum = dce_call->pkt.u.request.opnum; > const char *opname = "<unknown>"; >+ const char *reason = "<unknown>"; > > if (opnum < ndr_table_netlogon.num_calls) { > opname = ndr_table_netlogon.calls[opnum].name; > } > >- dcesrv_call_auth_info(dce_call, &auth_type, NULL); >+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); >+ >+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { >+ reason = "WITH SEALED"; >+ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { >+ reason = "WITH SIGNED"; >+ } else { >+ smb_panic("Schannel without SIGN/SEAL"); >+ } >+ } else { >+ reason = "WITHOUT"; >+ } > > nt_status = schannel_check_creds_state(mem_ctx, > lp_ctx, >@@ -676,62 +695,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > } > > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- if (!schannel_required) { >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "%s request (opnum[%u]) WITH schannel from " >- "client_account[%s] client_computer_name[%s]\n", >- opname, opnum, >- log_escape(frame, creds->account_name), >- log_escape(frame, creds->computer_name)); >+ nt_status = NT_STATUS_OK; >+ >+ if (explicit_opt != NULL && !schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); >+ } else if (!schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) %s schannel from " >+ "client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(nt_status))); >+ > if (explicit_opt != NULL && !schannel_required) { >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "Option 'server require schannel:%s = no' not needed!?\n", >- log_escape(frame, creds->account_name)); >+ DEBUG(CVE_2020_1472_warn_level, ( >+ "CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); > } > > *creds_out = creds; > TALLOC_FREE(frame); >- return NT_STATUS_OK; >+ return nt_status; > } > > if (schannel_required) { >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "%s request (opnum[%u]) without schannel from " >- "client_account[%s] client_computer_name[%s]\n", >- opname, opnum, >- log_escape(frame, creds->account_name), >- log_escape(frame, creds->computer_name)); >- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >- "'server require schannel:%s = no' " >- "might be needed for a legacy client.\n", >- log_escape(frame, creds->account_name)); >+ nt_status = NT_STATUS_ACCESS_DENIED; >+ >+ if (explicit_opt != NULL) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); >+ } else { >+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " >+ "%s request (opnum[%u]) %s schannel from " >+ "client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(nt_status))); >+ if (explicit_opt != NULL) { >+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " >+ "'server require schannel:%s = yes' " >+ "rejects access for client.\n", >+ log_escape(frame, creds->account_name)); >+ } else { >+ DEBUG(CVE_2020_1472_error_level, ( >+ "CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name))); >+ } > TALLOC_FREE(creds); > ZERO_STRUCTP(return_authenticator); > TALLOC_FREE(frame); >- return NT_STATUS_ACCESS_DENIED; >+ return nt_status; > } > >+ nt_status = NT_STATUS_OK; >+ > if (explicit_opt != NULL) { >- DBG_INFO("CVE-2020-1472(ZeroLogon): " >- "%s request (opnum[%u]) without schannel from " >- "client_account[%s] client_computer_name[%s]\n", >- opname, opnum, >- log_escape(frame, creds->account_name), >- log_escape(frame, creds->computer_name)); >- DBG_INFO("CVE-2020-1472(ZeroLogon): " >- "Option 'server require schannel:%s = no' still needed!\n", >- log_escape(frame, creds->account_name)); >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } else { >- DBG_ERR("CVE-2020-1472(ZeroLogon): " >- "%s request (opnum[%u]) without schannel from " >- "client_account[%s] client_computer_name[%s]\n", >- opname, opnum, >- log_escape(frame, creds->account_name), >- log_escape(frame, creds->computer_name)); >- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " >- "'server require schannel:%s = no' might be needed!\n", >- log_escape(frame, creds->account_name)); >+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " >+ "%s request (opnum[%u]) %s schannel from " >+ "client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(nt_status))); >+ >+ if (explicit_opt != NULL) { >+ D_INFO("CVE-2020-1472(ZeroLogon): Option " >+ "'server require schannel:%s = no' " >+ "still needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); >+ } else { >+ /* >+ * admins should set >+ * server require schannel:COMPUTER$ = no >+ * in order to avoid the level 0 messages. >+ * Over time they can switch the global value >+ * to be strict. >+ */ >+ DEBUG(CVE_2020_1472_error_level, ( >+ "CVE-2020-1472(ZeroLogon): " >+ "Please use 'server require schannel:%s = no' " >+ "for '%s' to avoid this warning!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); > } > > *creds_out = creds; >-- >2.34.1 > > >From 0be35930722530e5befa16a65a16232393258057 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 12:26:01 +0100 >Subject: [PATCH 13/29] CVE-2022-38023 selftest:Samba4: avoid global 'server > schannel = auto' > >Instead of using the generic deprecated option use the specific >server require schannel:COMPUTERACCOUNT = no in order to allow >legacy tests for pass. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c) >--- > selftest/target/Samba4.pm | 40 ++++++++++++++++++++++++++++++++++++--- > 1 file changed, 37 insertions(+), 3 deletions(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 5c324c500fe9..5568e399da57 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1625,10 +1625,27 @@ sub provision_ad_dc_ntvfs($$$) > dsdb event notification = true > dsdb password event notification = true > dsdb group change notification = true >- server schannel = auto > # override the new SMB2 only default > client min protocol = CORE > server min protocol = LANMAN1 >+ >+ CVE_2020_1472:warn_about_unused_debug_level = 3 >+ server require schannel:schannel0\$ = no >+ server require schannel:schannel1\$ = no >+ server require schannel:schannel2\$ = no >+ server require schannel:schannel3\$ = no >+ server require schannel:schannel4\$ = no >+ server require schannel:schannel5\$ = no >+ server require schannel:schannel6\$ = no >+ server require schannel:schannel7\$ = no >+ server require schannel:schannel8\$ = no >+ server require schannel:schannel9\$ = no >+ server require schannel:schannel10\$ = no >+ server require schannel:schannel11\$ = no >+ server require schannel:torturetest\$ = no >+ >+ # needed for 'samba.tests.auth_log' tests >+ server require schannel:LOCALDC\$ = no > "; > push (@{$extra_provision_options}, "--use-ntvfs"); > my $ret = $self->provision($prefix, >@@ -1975,8 +1992,22 @@ sub provision_ad_dc($$$$$$$) > lpq cache time = 0 > print notify backchannel = yes > >- server schannel = auto >- auth event notification = true >+ CVE_2020_1472:warn_about_unused_debug_level = 3 >+ server require schannel:schannel0\$ = no >+ server require schannel:schannel1\$ = no >+ server require schannel:schannel2\$ = no >+ server require schannel:schannel3\$ = no >+ server require schannel:schannel4\$ = no >+ server require schannel:schannel5\$ = no >+ server require schannel:schannel6\$ = no >+ server require schannel:schannel7\$ = no >+ server require schannel:schannel8\$ = no >+ server require schannel:schannel9\$ = no >+ server require schannel:schannel10\$ = no >+ server require schannel:schannel11\$ = no >+ server require schannel:torturetest\$ = no >+ >+ auth event notification = true > dsdb event notification = true > dsdb password event notification = true > dsdb group change notification = true >@@ -2653,6 +2684,9 @@ sub setup_ad_dc_smb1 > [global] > client min protocol = CORE > server min protocol = LANMAN1 >+ >+ # needed for 'samba.tests.auth_log' tests >+ server require schannel:ADDCSMB1\$ = no > "; > return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); > } >-- >2.34.1 > > >From 90f06ad6d7d00fc51a2d64557cf58739fef851c1 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Mon, 28 Nov 2022 15:02:13 +0100 >Subject: [PATCH 14/29] CVE-2022-38023 s4:torture: use > NETLOGON_NEG_SUPPORTS_AES by default > >For generic tests we should use the best available features. > >And AES will be required by default soon. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66) >--- > source4/torture/ntp/ntp_signd.c | 2 +- > source4/torture/rpc/lsa.c | 4 ++-- > source4/torture/rpc/netlogon.c | 24 ++++++++++++------------ > source4/torture/rpc/samba3rpc.c | 15 ++++++++++++--- > 4 files changed, 27 insertions(+), 18 deletions(-) > >diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c >index 124c9604871b..6d482bfdee16 100644 >--- a/source4/torture/ntp/ntp_signd.c >+++ b/source4/torture/ntp/ntp_signd.c >@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx, > uint32_t rid; > const char *machine_name; > const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx); >- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > > struct sign_request sign_req; > struct signed_reply signed_reply; >diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c >index 908ea08019c5..453a55562bc4 100644 >--- a/source4/torture/rpc/lsa.c >+++ b/source4/torture/rpc/lsa.c >@@ -4285,7 +4285,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, > torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); > > ok = check_pw_with_ServerAuthenticate3(p1, tctx, >- NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > server_name, > incoming_creds, &creds); > torture_assert_int_equal(tctx, ok, expected_result, >@@ -4382,7 +4382,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p, > torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b"); > > ok = check_pw_with_ServerAuthenticate3(p2, tctx, >- NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > server_name, > incoming_creds, &creds); > torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password"); >diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c >index 11f950d3aab4..2803dd13b467 100644 >--- a/source4/torture/rpc/netlogon.c >+++ b/source4/torture/rpc/netlogon.c >@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx, > > /* This allows the tests to continue against the more fussy windows 2008 */ > if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) { >- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > credentials, > cli_credentials_get_secure_channel_type(credentials), > creds_out); >@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx, > "ServerAuthenticate3 failed"); > torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed"); > >- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > creds = netlogon_creds_client_init(tctx, a.in.account_name, > a.in.computer_name, > a.in.secure_channel_type, >@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge( > const char *machine_name; > struct dcerpc_binding_handle *b = p->binding_handle; > struct netr_ServerAuthenticate2 a; >- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > uint32_t out_negotiate_flags = 0; > const struct samr_Password *mach_password = NULL; > enum netr_SchannelType sec_chan_type = 0; >@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge( > const char *machine_name; > struct dcerpc_binding_handle *b = p->binding_handle; > struct netr_ServerAuthenticate2 a; >- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > uint32_t out_negotiate_flags = 0; > const struct samr_Password *mach_password = NULL; > enum netr_SchannelType sec_chan_type = 0; >@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats( > const char *machine_name; > struct dcerpc_binding_handle *b = p->binding_handle; > struct netr_ServerAuthenticate2 a; >- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > uint32_t out_negotiate_flags = 0; > const struct samr_Password *mach_password = NULL; > enum netr_SchannelType sec_chan_type = 0; >@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats( > const char *machine_name; > struct dcerpc_binding_handle *b = p->binding_handle; > struct netr_ServerAuthenticate2 a; >- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > uint32_t out_negotiate_flags = 0; > const struct samr_Password *mach_password = NULL; > enum netr_SchannelType sec_chan_type = 0; >@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros( > struct netr_CryptPassword new_password; > struct dcerpc_pipe *p = NULL; > struct dcerpc_binding_handle *b = NULL; >- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ > > if (!test_SetupCredentials2( > p1, >@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password( > struct netr_CryptPassword new_password; > struct dcerpc_pipe *p = NULL; > struct dcerpc_binding_handle *b = NULL; >- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > DATA_BLOB new_random_pass = data_blob_null; > > if (!test_SetupCredentials2( >@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password( > struct netr_CryptPassword new_password; > struct dcerpc_pipe *p = NULL; > struct dcerpc_binding_handle *b = NULL; >- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */ > > if (!test_SetupCredentials2( > p1, >@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx, > struct dcerpc_pipe *p = NULL; > struct dcerpc_binding_handle *b = NULL; > >- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > machine_credentials, &creds)) { > return false; > } >@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx, > > torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n"); > >- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > machine_credentials, &creds)) { > return false; > } >@@ -5560,7 +5560,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx, > > torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT); > >- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS, >+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES, > machine_credentials, &creds)) { > return false; > } >diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c >index ff5dc1d68003..ee8dac67dfa8 100644 >--- a/source4/torture/rpc/samba3rpc.c >+++ b/source4/torture/rpc/samba3rpc.c >@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx, > goto done; > } > >- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; >+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES; > E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash); > > a.in.server_name = talloc_asprintf( >@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx, > E_md4hash(cli_credentials_get_password(user_creds), > pinfo.ntpassword.hash); > >- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16); >- > logon.password = &pinfo; > >+ /* >+ * We don't use this here: >+ * >+ * netlogon_creds_encrypt_samlogon_logon(creds_state, >+ * NetlogonInteractiveInformation, >+ * &logon); >+ * >+ * in order to detect bugs >+ */ >+ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16); >+ > r.in.logon_level = NetlogonInteractiveInformation; > r.in.logon = &logon; > r.out.return_authenticator = &return_authenticator; >-- >2.34.1 > > >From 33a814d745c0c2dd4e49582fbee892471620bfcd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 09:54:17 +0100 >Subject: [PATCH 15/29] CVE-2022-38023 s4:rpc_server/netlogon: split out > dcesrv_netr_ServerAuthenticate3_check_downgrade() > >We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', >which means we'll need the downgrade detection in more places. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++-------- > 1 file changed, 67 insertions(+), 47 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index d4bbb1261c3a..49aa91816abe 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -130,6 +130,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal > return NT_STATUS_OK; > } > >+static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ struct dcesrv_call_state *dce_call, >+ struct netr_ServerAuthenticate3 *r, >+ struct netlogon_server_pipe_state *pipe_state, >+ uint32_t negotiate_flags, >+ NTSTATUS orig_status) >+{ >+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; >+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); >+ bool reject_des_client = !allow_nt4_crypto; >+ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); >+ >+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { >+ reject_des_client = false; >+ } >+ >+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ reject_des_client = false; >+ reject_md5_client = false; >+ } >+ >+ if (reject_des_client || reject_md5_client) { >+ /* >+ * Here we match Windows 2012 and return no flags. >+ */ >+ *r->out.negotiate_flags = 0; >+ return NT_STATUS_DOWNGRADE_DETECTED; >+ } >+ >+ /* >+ * This talloc_free is important to prevent re-use of the >+ * challenge. We have to delay it this far due to NETApp >+ * servers per: >+ * https://bugzilla.samba.org/show_bug.cgi?id=11291 >+ */ >+ TALLOC_FREE(pipe_state); >+ >+ /* >+ * At this point we must also cleanup the TDB cache >+ * entry, if we fail the client needs to call >+ * netr_ServerReqChallenge again. >+ * >+ * Note: this handles a non existing record just fine, >+ * the r->in.computer_name might not be the one used >+ * in netr_ServerReqChallenge(), but we are trying to >+ * just tidy up the normal case to prevent re-use. >+ */ >+ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, >+ r->in.computer_name); >+ >+ /* >+ * According to Microsoft (see bugid #6099) >+ * Windows 7 looks at the negotiate_flags >+ * returned in this structure *even if the >+ * call fails with access denied! >+ */ >+ *r->out.negotiate_flags = negotiate_flags; >+ >+ return orig_status; >+} >+ > /* > * Do the actual processing of a netr_ServerAuthenticate3 message. > * called from dcesrv_netr_ServerAuthenticate3, which handles the logging. >@@ -157,11 +218,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > "objectSid", "samAccountName", NULL}; > uint32_t server_flags = 0; > uint32_t negotiate_flags = 0; >- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx); >- bool reject_des_client = !allow_nt4_crypto; >- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx); > > ZERO_STRUCTP(r->out.return_credentials); >+ *r->out.negotiate_flags = 0; > *r->out.rid = 0; > > pipe_state = dcesrv_iface_state_find_conn(dce_call, >@@ -240,52 +299,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > > negotiate_flags = *r->in.negotiate_flags & server_flags; > >- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { >- reject_des_client = false; >- } >- >- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >- reject_des_client = false; >- reject_md5_client = false; >- } >- >- if (reject_des_client || reject_md5_client) { >- /* >- * Here we match Windows 2012 and return no flags. >- */ >- *r->out.negotiate_flags = 0; >- return NT_STATUS_DOWNGRADE_DETECTED; >+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_OK); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ return nt_status; > } > >- /* >- * This talloc_free is important to prevent re-use of the >- * challenge. We have to delay it this far due to NETApp >- * servers per: >- * https://bugzilla.samba.org/show_bug.cgi?id=11291 >- */ >- TALLOC_FREE(pipe_state); >- >- /* >- * At this point we must also cleanup the TDB cache >- * entry, if we fail the client needs to call >- * netr_ServerReqChallenge again. >- * >- * Note: this handles a non existing record just fine, >- * the r->in.computer_name might not be the one used >- * in netr_ServerReqChallenge(), but we are trying to >- * just tidy up the normal case to prevent re-use. >- */ >- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx, >- r->in.computer_name); >- >- /* >- * According to Microsoft (see bugid #6099) >- * Windows 7 looks at the negotiate_flags >- * returned in this structure *even if the >- * call fails with access denied! >- */ >- *r->out.negotiate_flags = negotiate_flags; >- > switch (r->in.secure_channel_type) { > case SEC_CHAN_WKSTA: > case SEC_CHAN_DNS_DOMAIN: >-- >2.34.1 > > >From ade168df393064dd25a6e540e06332dcd1803297 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Thu, 24 Nov 2022 18:26:18 +0100 >Subject: [PATCH 16/29] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 > clients' default to yes > >AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0, >so there's no reason to allow md5 clients by default. >However some third party domain members may need it. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1) >--- > docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++--- > lib/param/loadparm.c | 1 + > selftest/target/Samba4.pm | 4 ++++ > source3/param/loadparm.c | 1 + > 4 files changed, 14 insertions(+), 3 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >index 0bb9f6f6c8ec..edcbe02e99a3 100644 >--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml >+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >@@ -7,11 +7,16 @@ > only in 'active directory domain controller' mode), will > reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> > >- <para>You can set this to yes if all domain members support aes. >- This will prevent downgrade attacks.</para> >+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows >+ starting with Server 2008R2 and Windows 7, it's available in Samba >+ starting with 4.0, however third party domain members like NetApp ONTAP >+ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para> >+ >+ <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, >+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para> > > <para>This option overrides the 'allow nt4 crypto' option.</para> > </description> > >-<value type="default">no</value> >+<value type="default">yes</value> > </samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index dfcc27ea68b6..3f4e367570e4 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); > > lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); >+ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); > > lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index 5568e399da57..f452248db8d4 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1629,6 +1629,8 @@ sub provision_ad_dc_ntvfs($$$) > client min protocol = CORE > server min protocol = LANMAN1 > >+ reject md5 clients = no >+ > CVE_2020_1472:warn_about_unused_debug_level = 3 > server require schannel:schannel0\$ = no > server require schannel:schannel1\$ = no >@@ -1992,6 +1994,8 @@ sub provision_ad_dc($$$$$$$) > lpq cache time = 0 > print notify backchannel = yes > >+ reject md5 clients = no >+ > CVE_2020_1472:warn_about_unused_debug_level = 3 > server require schannel:schannel0\$ = no > server require schannel:schannel1\$ = no >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index f934d48498c0..13a8504425ca 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > Globals.require_strong_key = true; > Globals.reject_md5_servers = true; > Globals.server_schannel = true; >+ Globals.reject_md5_clients = true; > Globals.read_raw = true; > Globals.write_raw = true; > Globals.null_passwords = false; >-- >2.34.1 > > >From 5154471bca2162c14c91ebd02148be521e333817 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 10:31:08 +0100 >Subject: [PATCH 17/29] CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade > check until we found the account in our SAM > >We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no', >which means we'll need use the account name from our SAM. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------ > 1 file changed, 53 insertions(+), 23 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 49aa91816abe..dad06835862e 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -299,13 +299,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > > negotiate_flags = *r->in.negotiate_flags & server_flags; > >- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( >- dce_call, r, pipe_state, negotiate_flags, >- NT_STATUS_OK); >- if (!NT_STATUS_IS_OK(nt_status)) { >- return nt_status; >- } >- > switch (r->in.secure_channel_type) { > case SEC_CHAN_WKSTA: > case SEC_CHAN_DNS_DOMAIN: >@@ -314,16 +307,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > case SEC_CHAN_RODC: > break; > case SEC_CHAN_NULL: >- return NT_STATUS_INVALID_PARAMETER; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_INVALID_PARAMETER); > default: > DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", > r->in.secure_channel_type)); >- return NT_STATUS_INVALID_PARAMETER; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_INVALID_PARAMETER); > } > > sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call); > if (sam_ctx == NULL) { >- return NT_STATUS_INVALID_SYSTEM_SERVICE; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_INVALID_SYSTEM_SERVICE); > } > > if (r->in.secure_channel_type == SEC_CHAN_DOMAIN || >@@ -352,16 +351,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > encoded_name = ldb_binary_encode_string(mem_ctx, > r->in.account_name); > if (encoded_name == NULL) { >- return NT_STATUS_NO_MEMORY; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_MEMORY); > } > > len = strlen(encoded_name); > if (len < 2) { >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > > if (require_trailer && encoded_name[len - 1] != trailer) { >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > encoded_name[len - 1] = '\0'; > >@@ -379,30 +384,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > "but there's no tdo for [%s] => [%s] \n", > log_escape(mem_ctx, r->in.account_name), > encoded_name)); >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > if (!NT_STATUS_IS_OK(nt_status)) { >- return nt_status; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ nt_status); > } > > nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx, > &curNtHash, > &prevNtHash); > if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > if (!NT_STATUS_IS_OK(nt_status)) { >- return nt_status; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ nt_status); > } > > flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL); > if (flatname == NULL) { >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > > *trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname); > if (*trust_account_for_search == NULL) { >- return NT_STATUS_NO_MEMORY; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_MEMORY); > } > } else { > *trust_account_for_search = r->in.account_name; >@@ -417,14 +434,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (num_records == 0) { > DEBUG(3,("Couldn't find user [%s] in samdb.\n", > log_escape(mem_ctx, r->in.account_name))); >- return NT_STATUS_NO_TRUST_SAM_ACCOUNT; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > > if (num_records > 1) { > DEBUG(0,("Found %d records matching user [%s]\n", > num_records, > log_escape(mem_ctx, r->in.account_name))); >- return NT_STATUS_INTERNAL_DB_CORRUPTION; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_INTERNAL_DB_CORRUPTION); > } > > *trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0], >@@ -433,9 +454,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (*trust_account_in_db == NULL) { > DEBUG(0,("No samAccountName returned in record matching user [%s]\n", > r->in.account_name)); >- return NT_STATUS_INTERNAL_DB_CORRUPTION; >+ return dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_INTERNAL_DB_CORRUPTION); > } >- >+ >+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( >+ dce_call, r, pipe_state, negotiate_flags, >+ NT_STATUS_OK); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ return nt_status; >+ } >+ > user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0); > > if (user_account_control & UF_ACCOUNTDISABLE) { >-- >2.34.1 > > >From a0c68f4caaa0771dcde074906956335c9e458bdf Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 13:13:36 +0100 >Subject: [PATCH 18/29] CVE-2022-38023 s4:rpc_server/netlogon: add 'server > reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4 > crypto:COMPUTERACCOUNT = yes' > >This makes it more flexible when we change the global default to >'reject md5 servers = yes'. > >'allow nt4 crypto = no' is already the default. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++- > 1 file changed, 55 insertions(+), 3 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index dad06835862e..301a5c8144f5 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -135,12 +135,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( > struct netr_ServerAuthenticate3 *r, > struct netlogon_server_pipe_state *pipe_state, > uint32_t negotiate_flags, >+ const char *trust_account_in_db, > NTSTATUS orig_status) > { > struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; >- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); >- bool reject_des_client = !allow_nt4_crypto; >- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); >+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); >+ bool account_allow_nt4_crypto = global_allow_nt4_crypto; >+ const char *explicit_nt4_opt = NULL; >+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); >+ bool account_reject_md5_client = global_reject_md5_client; >+ const char *explicit_md5_opt = NULL; >+ bool reject_des_client; >+ bool allow_nt4_crypto; >+ bool reject_md5_client; >+ >+ /* >+ * We don't use lpcfg_parm_bool(), as we >+ * need the explicit_opt pointer in order to >+ * adjust the debug messages. >+ */ >+ >+ if (trust_account_in_db != NULL) { >+ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx, >+ NULL, >+ "allow nt4 crypto", >+ trust_account_in_db); >+ } >+ if (explicit_nt4_opt != NULL) { >+ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt); >+ } >+ allow_nt4_crypto = account_allow_nt4_crypto; >+ if (trust_account_in_db != NULL) { >+ explicit_md5_opt = lpcfg_get_parametric(lp_ctx, >+ NULL, >+ "server reject md5 schannel", >+ trust_account_in_db); >+ } >+ if (explicit_md5_opt != NULL) { >+ account_reject_md5_client = lp_bool(explicit_md5_opt); >+ } >+ reject_md5_client = account_reject_md5_client; >+ >+ reject_des_client = !allow_nt4_crypto; > > if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { > reject_des_client = false; >@@ -309,12 +345,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > case SEC_CHAN_NULL: > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_INVALID_PARAMETER); > default: > DEBUG(1, ("Client asked for an invalid secure channel type: %d\n", > r->in.secure_channel_type)); > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_INVALID_PARAMETER); > } > >@@ -322,6 +360,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (sam_ctx == NULL) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_INVALID_SYSTEM_SERVICE); > } > >@@ -353,6 +392,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (encoded_name == NULL) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_MEMORY); > } > >@@ -360,12 +400,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (len < 2) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > > if (require_trailer && encoded_name[len - 1] != trailer) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > encoded_name[len - 1] = '\0'; >@@ -386,11 +428,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > encoded_name)); > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > if (!NT_STATUS_IS_OK(nt_status)) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > nt_status); > } > >@@ -400,11 +444,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > if (!NT_STATUS_IS_OK(nt_status)) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > nt_status); > } > >@@ -412,6 +458,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (flatname == NULL) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > >@@ -419,6 +466,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > if (*trust_account_for_search == NULL) { > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_MEMORY); > } > } else { >@@ -436,6 +484,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > log_escape(mem_ctx, r->in.account_name))); > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_NO_TRUST_SAM_ACCOUNT); > } > >@@ -445,6 +494,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > log_escape(mem_ctx, r->in.account_name))); > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_INTERNAL_DB_CORRUPTION); > } > >@@ -456,11 +506,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper( > r->in.account_name)); > return dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ NULL, /* trust_account_in_db */ > NT_STATUS_INTERNAL_DB_CORRUPTION); > } > > nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade( > dce_call, r, pipe_state, negotiate_flags, >+ *trust_account_in_db, > NT_STATUS_OK); > if (!NT_STATUS_IS_OK(nt_status)) { > return nt_status; >-- >2.34.1 > > >From 4cb1e57caaf537c760de95a4a4e300ff8c711dfe Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 13:31:14 +0100 >Subject: [PATCH 19/29] CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4 > crypto:COMPUTERACCOUNT = no" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b) >--- > docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++- > 1 file changed, 74 insertions(+), 2 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml >index 06afcef73b1b..bbd03a42db74 100644 >--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml >+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml >@@ -1,11 +1,18 @@ > <samba:parameter name="allow nt4 crypto" > context="G" > type="boolean" >+ deprecated="1" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >+ <para> >+ This option is deprecated and will be removed in future, >+ as it is a security problem if not set to "no" (which will be >+ the hardcoded behavior in future). >+ </para> >+ > <para>This option controls whether the netlogon server (currently > only in 'active directory domain controller' mode), will >- reject clients which does not support NETLOGON_NEG_STRONG_KEYS >+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS > nor NETLOGON_NEG_SUPPORTS_AES.</para> > > <para>This option was added with Samba 4.2.0. It may lock out clients >@@ -18,8 +25,73 @@ > > <para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para> > >- <para>This option is over-ridden by the 'reject md5 clients' option.</para> >+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead! >+ Which is available with the patches for >+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> >+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para> >+ >+ <para> >+ Samba will log an error in the log files at log level 0 >+ if legacy a client is rejected or allowed without an explicit, >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option >+ for the client. The message will indicate >+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' >+ line to be added, if the legacy client software requires it. (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ >+ <para>This allows admins to use "yes" only for a short grace period, >+ in order to collect the explicit >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> >+ >+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> > </description> > > <value type="default">no</value> > </samba:parameter> >+ >+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT" >+ context="G" >+ type="string" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ >+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes', >+ it is possible to specify an explicit exception per computer account >+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option. >+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of >+ the computer account (including the trailing '$' sign). >+ </para> >+ >+ <para> >+ Samba will log a complaint in the log files at log level 0 >+ about the security problem if the option is set to "yes", >+ but the related computer does not require it. >+ (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ >+ <para> >+ Samba will log a warning in the log files at log level 5, >+ if a setting is still needed for the specified computer account. >+ </para> >+ >+ <para> >+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, >+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> >+ >+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> >+ >+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> >+ >+ <programlisting> >+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes >+ allow nt4 crypto:NASBOX$ = yes >+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes >+ </programlisting> >+</description> >+ >+</samba:parameter> >-- >2.34.1 > > >From b7f0e7f2ccc9c07b2daa0dc6d66ea117108e9a4f Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 14:02:11 +0100 >Subject: [PATCH 20/29] CVE-2022-38023 docs-xml/smbdotconf: document "server > reject md5 schannel:COMPUTERACCOUNT" > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1) >--- > docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++- > .../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++- > 2 files changed, 103 insertions(+), 6 deletions(-) > >diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml >index bbd03a42db74..ee63e6cc2453 100644 >--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml >+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml >@@ -45,7 +45,9 @@ > in order to collect the explicit > '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para> > >- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> >+ <para>This option is over-ridden by the effective value of 'yes' from >+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' >+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para> > </description> > > <value type="default">no</value> >@@ -85,12 +87,19 @@ > > <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para> > >- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para> >+ <para>This option is over-ridden by the effective value of 'yes' from >+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' >+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para> >+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' >+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para> > > <programlisting> > allow nt4 crypto:LEGACYCOMPUTER1$ = yes >+ server reject md5 schannel:LEGACYCOMPUTER1$ = no > allow nt4 crypto:NASBOX$ = yes >+ server reject md5 schannel:NASBOX$ = no > allow nt4 crypto:LEGACYCOMPUTER2$ = yes >+ server reject md5 schannel:LEGACYCOMPUTER2$ = no > </programlisting> > </description> > >diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >index edcbe02e99a3..fe7701d92772 100644 >--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml >+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml >@@ -1,8 +1,15 @@ > <samba:parameter name="reject md5 clients" > context="G" > type="boolean" >+ deprecated="1" > xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> > <description> >+ <para> >+ This option is deprecated and will be removed in a future release, >+ as it is a security problem if not set to "yes" (which will be >+ the hardcoded behavior in the future). >+ </para> >+ > <para>This option controls whether the netlogon server (currently > only in 'active directory domain controller' mode), will > reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para> >@@ -10,13 +17,94 @@ > <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows > starting with Server 2008R2 and Windows 7, it's available in Samba > starting with 4.0, however third party domain members like NetApp ONTAP >- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para> >+ still uses RC4 (HMAC-MD5), see >+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink> >+ for more details. >+ </para> >+ >+ <para>The default changed from 'no' to 'yes', with the patches for >+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> >+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> >+ >+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account >+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead! >+ Which is available with the patches for >+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> >+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> > >- <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023, >- see https://bugzilla.samba.org/show_bug.cgi?id=15240</para> >+ <para> >+ Samba will log an error in the log files at log level 0 >+ if legacy a client is rejected or allowed without an explicit, >+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option >+ for the client. The message will indicate >+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' >+ line to be added, if the legacy client software requires it. (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> > >- <para>This option overrides the 'allow nt4 crypto' option.</para> >+ <para>This allows admins to use "no" only for a short grace period, >+ in order to collect the explicit >+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para> >+ >+ <para>When set to 'yes' this option overrides the >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and >+ '<smbconfoption name="allow nt4 crypto"/>' options and implies >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. >+ </para> > </description> > > <value type="default">yes</value> > </samba:parameter> >+ >+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT" >+ context="G" >+ type="string" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ >+ <para>If you still have legacy domain members or trusted domains, >+ which required "reject md5 clients = no" before, >+ it is possible to specify an explicit exception per computer account >+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'. >+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of >+ the computer account (including the trailing '$' sign). >+ </para> >+ >+ <para> >+ Samba will log a complaint in the log files at log level 0 >+ about the security problem if the option is set to "no", >+ but the related computer does not require it. >+ (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ >+ <para> >+ Samba will log a warning in the log files at log level 5 >+ if a setting is still needed for the specified computer account. >+ </para> >+ >+ <para> >+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, >+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> >+ >+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para> >+ >+ <para>When set to 'yes' this option overrides the >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and >+ '<smbconfoption name="allow nt4 crypto"/>' options and implies >+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'. >+ </para> >+ >+ <programlisting> >+ server reject md5 schannel:LEGACYCOMPUTER1$ = no >+ server reject md5 schannel:NASBOX$ = no >+ server reject md5 schannel:LEGACYCOMPUTER2$ = no >+ </programlisting> >+</description> >+ >+</samba:parameter> >-- >2.34.1 > > >From ba1482a18a807a5db4d1bd84640a0d5d83fcd9c3 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 13:13:36 +0100 >Subject: [PATCH 21/29] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject > md5 servers' and 'allow nt4 crypto' misconfigurations > >This allows the admin to notice what's wrong in order to adjust the >configuration if required. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381) > >[metze@samba.org remove lpcfg_weak_crypto() check for 4.15] >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 121 ++++++++++++++++++ > 1 file changed, 121 insertions(+) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 301a5c8144f5..d23cf48c6409 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -63,10 +63,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context > const struct dcesrv_interface *iface) > { > struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; >+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx); >+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); > int schannel = lpcfg_server_schannel(lp_ctx); > bool schannel_global_required = (schannel == true); >+ static bool warned_global_nt4_once = false; >+ static bool warned_global_md5_once = false; > static bool warned_global_schannel_once = false; > >+ if (global_allow_nt4_crypto && !warned_global_nt4_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ D_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'allow nt4 crypto = no' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_nt4_once = true; >+ } >+ >+ if (!global_reject_md5_client && !warned_global_md5_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ D_ERR("CVE-2022-38023: " >+ "Please configure 'reject md5 clients = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_md5_once = true; >+ } >+ > if (!schannel_global_required && !warned_global_schannel_once) { > /* > * We want admins to notice their misconfiguration! >@@ -148,6 +172,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( > bool reject_des_client; > bool allow_nt4_crypto; > bool reject_md5_client; >+ bool need_des = true; >+ bool need_md5 = true; >+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); >+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); > > /* > * We don't use lpcfg_parm_bool(), as we >@@ -179,19 +209,62 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( > reject_des_client = !allow_nt4_crypto; > > if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { >+ need_des = false; > reject_des_client = false; > } > > if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { >+ need_des = false; >+ need_md5 = false; > reject_des_client = false; > reject_md5_client = false; > } > > if (reject_des_client || reject_md5_client) { >+ TALLOC_CTX *frame = talloc_stackframe(); >+ >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: " >+ "client_account[%s] computer_name[%s] " >+ "schannel_type[%u] " >+ "client_negotiate_flags[0x%x] " >+ "%s%s%s " >+ "NT_STATUS_DOWNGRADE_DETECTED " >+ "reject_des[%u] reject_md5[%u]\n", >+ log_escape(frame, r->in.account_name), >+ log_escape(frame, r->in.computer_name), >+ r->in.secure_channel_type, >+ (unsigned)*r->in.negotiate_flags, >+ trust_account_in_db ? "real_account[" : "", >+ trust_account_in_db ? trust_account_in_db : "", >+ trust_account_in_db ? "]" : "", >+ reject_des_client, >+ reject_md5_client)); >+ if (trust_account_in_db == NULL) { >+ goto return_downgrade; >+ } >+ >+ if (reject_md5_client && explicit_md5_opt == NULL) { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server reject md5 schannel:%s = no' " >+ "might be needed for a legacy client.\n", >+ trust_account_in_db)); >+ } >+ if (reject_des_client && explicit_nt4_opt == NULL) { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'allow nt4 crypto:%s = yes' " >+ "might be needed for a legacy client.\n", >+ trust_account_in_db)); >+ } >+ >+return_downgrade: > /* > * Here we match Windows 2012 and return no flags. > */ > *r->out.negotiate_flags = 0; >+ TALLOC_FREE(frame); > return NT_STATUS_DOWNGRADE_DETECTED; > } > >@@ -224,6 +297,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( > */ > *r->out.negotiate_flags = negotiate_flags; > >+ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) { >+ return orig_status; >+ } >+ >+ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) { >+ D_INFO("CVE-2022-38023: Check if option " >+ "'server reject md5 schannel:%s = yes' not needed!?\n", >+ trust_account_in_db); >+ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) { >+ D_INFO("CVE-2022-38023: Check if option " >+ "'server reject md5 schannel:%s = no' " >+ "still needed for a legacy client.\n", >+ trust_account_in_db); >+ } else if (need_md5 && explicit_md5_opt == NULL) { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server reject md5 schannel:%s = no' " >+ "might be needed for a legacy client.\n", >+ trust_account_in_db)); >+ } else if (!account_reject_md5_client && explicit_md5_opt) { >+ DEBUG(CVE_2022_38023_warn_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server reject md5 schannel:%s = no' not needed!?\n", >+ trust_account_in_db)); >+ } >+ >+ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) { >+ D_INFO("CVE-2022-38023: Check if option " >+ "'allow nt4 crypto:%s = no' not needed!?\n", >+ trust_account_in_db); >+ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) { >+ D_INFO("CVE-2022-38023: Check if option " >+ "'allow nt4 crypto:%s = yes' " >+ "still needed for a legacy client.\n", >+ trust_account_in_db); >+ } else if (need_des && explicit_nt4_opt == NULL) { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'allow nt4 crypto:%s = yes' " >+ "might be needed for a legacy client.\n", >+ trust_account_in_db)); >+ } else if (account_allow_nt4_crypto && explicit_nt4_opt) { >+ DEBUG(CVE_2022_38023_warn_level, ( >+ "CVE-2022-38023: Check if option " >+ "'allow nt4 crypto:%s = yes' not needed!?\n", >+ trust_account_in_db)); >+ } >+ > return orig_status; > } > >-- >2.34.1 > > >From 08b69ca61f747a74c5a6634d25ce35e43e145ecd Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 14:57:20 +0100 >Subject: [PATCH 22/29] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 > crypto = yes' and 'reject md5 clients = no' > >Instead of using the generic deprecated option use the specific >allow nt4 crypto:COMPUTERACCOUNT = yes and >server reject md5 schannel:COMPUTERACCOUNT = no >in order to allow legacy tests for pass. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768) > >[metze@samba.org fixed conflict in 4.15] >--- > selftest/target/Samba4.pm | 55 ++++++++++++++++++++++++++++++++++----- > 1 file changed, 49 insertions(+), 6 deletions(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index f452248db8d4..a1f29ebe3c65 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1617,7 +1617,6 @@ sub provision_ad_dc_ntvfs($$$) > my $extra_conf_options = "netbios aliases = localDC1-a > server services = +winbind -winbindd > ldap server require strong auth = allow_sasl_over_tls >- allow nt4 crypto = yes > raw NTLMv2 auth = yes > lsa over netlogon = yes > rpc server port = 1027 >@@ -1629,9 +1628,19 @@ sub provision_ad_dc_ntvfs($$$) > client min protocol = CORE > server min protocol = LANMAN1 > >- reject md5 clients = no >- > CVE_2020_1472:warn_about_unused_debug_level = 3 >+ CVE_2022_38023:warn_about_unused_debug_level = 3 >+ allow nt4 crypto:torturetest\$ = yes >+ server reject md5 schannel:schannel2\$ = no >+ server reject md5 schannel:schannel3\$ = no >+ server reject md5 schannel:schannel8\$ = no >+ server reject md5 schannel:schannel9\$ = no >+ server reject md5 schannel:torturetest\$ = no >+ server reject md5 schannel:tests4u2proxywk\$ = no >+ server reject md5 schannel:tests4u2selfbdc\$ = no >+ server reject md5 schannel:tests4u2selfwk\$ = no >+ server reject md5 schannel:torturepacbdc\$ = no >+ server reject md5 schannel:torturepacwksta\$ = no > server require schannel:schannel0\$ = no > server require schannel:schannel1\$ = no > server require schannel:schannel2\$ = no >@@ -1685,6 +1694,13 @@ sub provision_fl2000dc($$) > my $extra_conf_options = " > spnego:simulate_w2k=yes > ntlmssp_server:force_old_spnego=yes >+ >+ CVE_2022_38023:warn_about_unused_debug_level = 3 >+ server reject md5 schannel:tests4u2proxywk\$ = no >+ server reject md5 schannel:tests4u2selfbdc\$ = no >+ server reject md5 schannel:tests4u2selfwk\$ = no >+ server reject md5 schannel:torturepacbdc\$ = no >+ server reject md5 schannel:torturepacwksta\$ = no > "; > my $extra_provision_options = ["--base-schema=2008_R2"]; > # This environment uses plain text secrets >@@ -1728,7 +1744,16 @@ sub provision_fl2003dc($$$) > my $extra_conf_options = "allow dns updates = nonsecure and secure > dcesrv:header signing = no > dcesrv:max auth states = 0 >- dns forwarder = $ip_addr1 $ip_addr2"; >+ dns forwarder = $ip_addr1 $ip_addr2 >+ >+ CVE_2022_38023:warn_about_unused_debug_level = 3 >+ server reject md5 schannel:tests4u2proxywk\$ = no >+ server reject md5 schannel:tests4u2selfbdc\$ = no >+ server reject md5 schannel:tests4u2selfwk\$ = no >+ server reject md5 schannel:torturepacbdc\$ = no >+ server reject md5 schannel:torturepacwksta\$ = no >+"; >+ > my $extra_provision_options = ["--base-schema=2008_R2"]; > my $ret = $self->provision($prefix, > "domain controller", >@@ -1783,6 +1808,13 @@ sub provision_fl2008r2dc($$$) > ldap server require strong auth = no > # delay by 10 seconds, 10^7 usecs > ldap_server:delay_expire_disconnect = 10000 >+ >+ CVE_2022_38023:warn_about_unused_debug_level = 3 >+ server reject md5 schannel:tests4u2proxywk\$ = no >+ server reject md5 schannel:tests4u2selfbdc\$ = no >+ server reject md5 schannel:tests4u2selfwk\$ = no >+ server reject md5 schannel:torturepacbdc\$ = no >+ server reject md5 schannel:torturepacwksta\$ = no > "; > my $extra_provision_options = ["--base-schema=2008_R2"]; > my $ret = $self->provision($prefix, >@@ -1994,9 +2026,20 @@ sub provision_ad_dc($$$$$$$) > lpq cache time = 0 > print notify backchannel = yes > >- reject md5 clients = no >- > CVE_2020_1472:warn_about_unused_debug_level = 3 >+ CVE_2022_38023:warn_about_unused_debug_level = 3 >+ CVE_2022_38023:error_debug_level = 2 >+ server reject md5 schannel:schannel2\$ = no >+ server reject md5 schannel:schannel3\$ = no >+ server reject md5 schannel:schannel8\$ = no >+ server reject md5 schannel:schannel9\$ = no >+ server reject md5 schannel:torturetest\$ = no >+ server reject md5 schannel:tests4u2proxywk\$ = no >+ server reject md5 schannel:tests4u2selfbdc\$ = no >+ server reject md5 schannel:tests4u2selfwk\$ = no >+ server reject md5 schannel:torturepacbdc\$ = no >+ server reject md5 schannel:torturepacwksta\$ = no >+ server reject md5 schannel:samlogontest\$ = no > server require schannel:schannel0\$ = no > server require schannel:schannel1\$ = no > server require schannel:schannel2\$ = no >-- >2.34.1 > > >From 57986cad714cc2f738c7482208204ed4e18b1f19 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 16:57:24 +0100 >Subject: [PATCH 23/29] CVE-2022-38023 s4:rpc_server/netlogon: split out > dcesrv_netr_check_schannel() function > >This will allow us to reuse the function in other places. >As it will also get some additional checks soon. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++-------- > 1 file changed, 51 insertions(+), 33 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index d23cf48c6409..db4e62b335e1 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -843,18 +843,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca > return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); > } > >-/* >- * NOTE: The following functions are nearly identical to the ones available in >- * source3/rpc_server/srv_nelog_nt.c >- * The reason we keep 2 copies is that they use different structures to >- * represent the auth_info and the decrpc pipes. >- */ >-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, >- TALLOC_CTX *mem_ctx, >- const char *computer_name, >- struct netr_Authenticator *received_authenticator, >- struct netr_Authenticator *return_authenticator, >- struct netlogon_creds_CredentialState **creds_out) >+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, >+ const struct netlogon_creds_CredentialState *creds, >+ enum dcerpc_AuthType auth_type, >+ enum dcerpc_AuthLevel auth_level, >+ uint16_t opnum) > { > struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; > TALLOC_CTX *frame = talloc_stackframe(); >@@ -863,15 +856,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > bool schannel_global_required = (schannel == true); > bool schannel_required = schannel_global_required; > const char *explicit_opt = NULL; >- struct netlogon_creds_CredentialState *creds = NULL; > int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, > "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); > int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, > "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); > unsigned int dbg_lvl = DBGLVL_DEBUG; >- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; >- uint16_t opnum = dce_call->pkt.u.request.opnum; > const char *opname = "<unknown>"; > const char *reason = "<unknown>"; > >@@ -879,8 +868,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > opname = ndr_table_netlogon.calls[opnum].name; > } > >- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); >- > if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { > if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { > reason = "WITH SEALED"; >@@ -893,17 +880,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > reason = "WITHOUT"; > } > >- nt_status = schannel_check_creds_state(mem_ctx, >- lp_ctx, >- computer_name, >- received_authenticator, >- return_authenticator, >- &creds); >- if (!NT_STATUS_IS_OK(nt_status)) { >- ZERO_STRUCTP(return_authenticator); >- return nt_status; >- } >- > /* > * We don't use lpcfg_parm_bool(), as we > * need the explicit_opt pointer in order to >@@ -943,7 +919,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > log_escape(frame, creds->computer_name))); > } > >- *creds_out = creds; > TALLOC_FREE(frame); > return nt_status; > } >@@ -977,8 +952,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > "might be needed for a legacy client.\n", > log_escape(frame, creds->account_name))); > } >- TALLOC_FREE(creds); >- ZERO_STRUCTP(return_authenticator); > TALLOC_FREE(frame); > return nt_status; > } >@@ -1022,11 +995,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc > log_escape(frame, creds->computer_name))); > } > >- *creds_out = creds; > TALLOC_FREE(frame); > return NT_STATUS_OK; > } > >+/* >+ * NOTE: The following functions are nearly identical to the ones available in >+ * source3/rpc_server/srv_nelog_nt.c >+ * The reason we keep 2 copies is that they use different structures to >+ * represent the auth_info and the decrpc pipes. >+ */ >+static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call, >+ TALLOC_CTX *mem_ctx, >+ const char *computer_name, >+ struct netr_Authenticator *received_authenticator, >+ struct netr_Authenticator *return_authenticator, >+ struct netlogon_creds_CredentialState **creds_out) >+{ >+ NTSTATUS nt_status; >+ struct netlogon_creds_CredentialState *creds = NULL; >+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; >+ >+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); >+ >+ nt_status = schannel_check_creds_state(mem_ctx, >+ dce_call->conn->dce_ctx->lp_ctx, >+ computer_name, >+ received_authenticator, >+ return_authenticator, >+ &creds); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ ZERO_STRUCTP(return_authenticator); >+ return nt_status; >+ } >+ >+ nt_status = dcesrv_netr_check_schannel(dce_call, >+ creds, >+ auth_type, >+ auth_level, >+ dce_call->pkt.u.request.opnum); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ TALLOC_FREE(creds); >+ ZERO_STRUCTP(return_authenticator); >+ return nt_status; >+ } >+ >+ *creds_out = creds; >+ return NT_STATUS_OK; >+} >+ > /* > Change the machine account password for the currently connected > client. Supplies only the NT#. >-- >2.34.1 > > >From 2b0dc83e0642f7b1f41b6184fb6e20320cd96b63 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 17:15:36 +0100 >Subject: [PATCH 24/29] CVE-2022-38023 s4:rpc_server/netlogon: make sure all > dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel() > >We'll soon add some additional contraints in dcesrv_netr_check_schannel(), >which are also required for dcesrv_netr_LogonSamLogonEx(). > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++---- > 1 file changed, 29 insertions(+), 7 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index db4e62b335e1..13846f3d15d3 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -1407,6 +1407,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL > struct auth_usersupplied_info *user_info = NULL; > NTSTATUS nt_status; > struct tevent_req *subreq = NULL; >+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; >+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; >+ >+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level); >+ >+ switch (dce_call->pkt.u.request.opnum) { >+ case NDR_NETR_LOGONSAMLOGON: >+ case NDR_NETR_LOGONSAMLOGONWITHFLAGS: >+ /* >+ * These already called dcesrv_netr_check_schannel() >+ * via dcesrv_netr_creds_server_step_check() >+ */ >+ break; >+ case NDR_NETR_LOGONSAMLOGONEX: >+ default: >+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >+ return NT_STATUS_ACCESS_DENIED; >+ } >+ >+ nt_status = dcesrv_netr_check_schannel(dce_call, >+ creds, >+ auth_type, >+ auth_level, >+ dce_call->pkt.u.request.opnum); >+ if (!NT_STATUS_IS_OK(nt_status)) { >+ return nt_status; >+ } >+ break; >+ } > > *r->out.authoritative = 1; > >@@ -1755,7 +1784,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply( > static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx, > struct netr_LogonSamLogonEx *r) > { >- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; > struct dcesrv_netr_LogonSamLogon_base_state *state; > NTSTATUS nt_status; > >@@ -1793,12 +1821,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, > return nt_status; > } > >- dcesrv_call_auth_info(dce_call, &auth_type, NULL); >- >- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { >- return NT_STATUS_ACCESS_DENIED; >- } >- > nt_status = dcesrv_netr_LogonSamLogon_base_call(state); > > if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) { >-- >2.34.1 > > >From dba546dbfa5dcaa22ed828c2f5b7fa9c8cb6242e Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 16:53:35 +0100 >Subject: [PATCH 25/29] CVE-2022-38023 docs-xml/smbdotconf: add "server > schannel require seal[:COMPUTERACCOUNT]" options > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470) >--- > .../smbdotconf/security/serverschannel.xml | 43 ++++++- > .../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++ > lib/param/loadparm.c | 1 + > source3/param/loadparm.c | 1 + > 4 files changed, 157 insertions(+), 6 deletions(-) > create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml > >diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml >index 3e66df1c2032..42a657912cac 100644 >--- a/docs-xml/smbdotconf/security/serverschannel.xml >+++ b/docs-xml/smbdotconf/security/serverschannel.xml >@@ -12,19 +12,37 @@ > the hardcoded behavior in future). > </para> > >- <para> >- Samba will complain in the log files at log level 0, >- about the security problem if the option is not set to "yes". >+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead! > </para> >+ >+ <para> >+ Samba will log an error in the log files at log level 0 >+ if legacy a client is rejected or allowed without an explicit, >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option >+ for the client. The message will indicate >+ the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' >+ line to be added, if the legacy client software requires it. (The log level can be adjusted with >+ '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ > <para> >- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ This allows admins to use "auto" only for a short grace period, >+ in order to collect the explicit >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options. > </para> > >- <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. >+ <para> >+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, >+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. > </para> > > <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> > >+ <para>This option is over-ridden by the effective value of 'yes' from >+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' >+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para> >+ > </description> > > <value type="default">yes</value> >@@ -48,6 +66,9 @@ > about the security problem if the option is not set to "no", > but the related computer is actually using the netlogon > secure channel (schannel) feature. >+ (The log level can be adjusted with >+ '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). > </para> > > <para> >@@ -56,15 +77,25 @@ > </para> > > <para> >- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 >+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>, >+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>. > </para> > > <para>This option overrides the <smbconfoption name="server schannel"/> option.</para> > >+ <para>This option is over-ridden by the effective value of 'yes' from >+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' >+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para> >+ <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' >+ is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para> >+ > <programlisting> > server require schannel:LEGACYCOMPUTER1$ = no >+ server require schannel seal:LEGACYCOMPUTER1$ = no > server require schannel:NASBOX$ = no >+ server require schannel seal:NASBOX$ = no > server require schannel:LEGACYCOMPUTER2$ = no >+ server require schannel seal:LEGACYCOMPUTER2$ = no > </programlisting> > </description> > >diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml >new file mode 100644 >index 000000000000..d4620d1252dd >--- /dev/null >+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml >@@ -0,0 +1,118 @@ >+<samba:parameter name="server schannel require seal" >+ context="G" >+ type="boolean" >+ deprecated="1" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ >+ <para> >+ This option is deprecated and will be removed in future, >+ as it is a security problem if not set to "yes" (which will be >+ the hardcoded behavior in future). >+ </para> >+ >+ <para> >+ This option controls whether the netlogon server (currently >+ only in 'active directory domain controller' mode), will >+ reject the usage of netlogon secure channel without privacy/enryption. >+ </para> >+ >+ <para> >+ The option is modelled after the registry key available on Windows. >+ </para> >+ >+ <programlisting> >+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2 >+ </programlisting> >+ >+ <para> >+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option >+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead! >+ Which is available with the patches for >+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink> >+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> >+ >+ <para> >+ Samba will log an error in the log files at log level 0 >+ if legacy a client is rejected or allowed without an explicit, >+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option >+ for the client. The message will indicate >+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' >+ line to be added, if the legacy client software requires it. (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ >+ <para>This allows admins to use "no" only for a short grace period, >+ in order to collect the explicit >+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para> >+ >+ <para> >+ When set to 'yes' this option overrides the >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and >+ '<smbconfoption name="server schannel"/>' options and implies >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. >+ </para> >+ >+ <para> >+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option. >+ </para> >+ >+</description> >+ >+<value type="default">yes</value> >+</samba:parameter> >+ >+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT" >+ context="G" >+ type="string" >+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> >+<description> >+ >+ <para> >+ If you still have legacy domain members, which required "server schannel require seal = no" before, >+ it is possible to specify explicit exception per computer account >+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option. >+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of >+ the computer account (including the trailing '$' sign). >+ </para> >+ >+ <para> >+ Samba will log a complaint in the log files at log level 0 >+ about the security problem if the option is set to "no", >+ but the related computer does not require it. >+ (The log level can be adjusted with >+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>' >+ in order to complain only at a higher log level). >+ </para> >+ >+ <para> >+ Samba will warn in the log files at log level 5, >+ if a setting is still needed for the specified computer account. >+ </para> >+ >+ <para> >+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>, >+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>. >+ </para> >+ >+ <para> >+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option. >+ </para> >+ >+ <para> >+ When set to 'yes' this option overrides the >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and >+ '<smbconfoption name="server schannel"/>' options and implies >+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'. >+ </para> >+ >+ <programlisting> >+ server require schannel seal:LEGACYCOMPUTER1$ = no >+ server require schannel seal:NASBOX$ = no >+ server require schannel seal:LEGACYCOMPUTER2$ = no >+ </programlisting> >+</description> >+ >+</samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index 3f4e367570e4..c8ecaba70f13 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2722,6 +2722,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template"); > > lpcfg_do_global_parameter(lp_ctx, "server schannel", "True"); >+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True"); > lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True"); > > lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True"); >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 13a8504425ca..4e10aaf4724e 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > Globals.require_strong_key = true; > Globals.reject_md5_servers = true; > Globals.server_schannel = true; >+ Globals.server_schannel_require_seal = true; > Globals.reject_md5_clients = true; > Globals.read_raw = true; > Globals.write_raw = true; >-- >2.34.1 > > >From 15792b4035d520ad5a0bf4888fa5d6bedb8937aa Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 2 Dec 2022 14:31:26 +0100 >Subject: [PATCH 26/29] CVE-2022-38023 s4:rpc_server/netlogon: add a per > connection cache to dcesrv_netr_check_schannel() > >It's enough to warn the admin once per connection. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a) >--- > source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++---- > 1 file changed, 153 insertions(+), 40 deletions(-) > >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 13846f3d15d3..5a911d65afa3 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -843,23 +843,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca > return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3); > } > >-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, >- const struct netlogon_creds_CredentialState *creds, >- enum dcerpc_AuthType auth_type, >- enum dcerpc_AuthLevel auth_level, >- uint16_t opnum) >+struct dcesrv_netr_check_schannel_state { >+ struct dom_sid account_sid; >+ enum dcerpc_AuthType auth_type; >+ enum dcerpc_AuthLevel auth_level; >+ >+ bool schannel_global_required; >+ bool schannel_required; >+ bool schannel_explicitly_set; >+ >+ NTSTATUS result; >+}; >+ >+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call, >+ const struct netlogon_creds_CredentialState *creds, >+ enum dcerpc_AuthType auth_type, >+ enum dcerpc_AuthLevel auth_level, >+ struct dcesrv_netr_check_schannel_state **_s) > { > struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; >- TALLOC_CTX *frame = talloc_stackframe(); >- NTSTATUS nt_status; > int schannel = lpcfg_server_schannel(lp_ctx); > bool schannel_global_required = (schannel == true); > bool schannel_required = schannel_global_required; > const char *explicit_opt = NULL; >+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) >+ struct dcesrv_netr_check_schannel_state *s = NULL; >+ NTSTATUS status; >+ >+ *_s = NULL; >+ >+ s = dcesrv_iface_state_find_conn(dce_call, >+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, >+ struct dcesrv_netr_check_schannel_state); >+ if (s != NULL) { >+ if (!dom_sid_equal(&s->account_sid, creds->sid)) { >+ goto new_state; >+ } >+ if (s->auth_type != auth_type) { >+ goto new_state; >+ } >+ if (s->auth_level != auth_level) { >+ goto new_state; >+ } >+ >+ *_s = s; >+ return NT_STATUS_OK; >+ } >+ >+new_state: >+ TALLOC_FREE(s); >+ s = talloc_zero(dce_call, >+ struct dcesrv_netr_check_schannel_state); >+ if (s == NULL) { >+ return NT_STATUS_NO_MEMORY; >+ } >+ >+ s->account_sid = *creds->sid; >+ s->auth_type = auth_type; >+ s->auth_level = auth_level; >+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; >+ >+ /* >+ * We don't use lpcfg_parm_bool(), as we >+ * need the explicit_opt pointer in order to >+ * adjust the debug messages. >+ */ >+ explicit_opt = lpcfg_get_parametric(lp_ctx, >+ NULL, >+ "server require schannel", >+ creds->account_name); >+ if (explicit_opt != NULL) { >+ schannel_required = lp_bool(explicit_opt); >+ } >+ >+ s->schannel_global_required = schannel_global_required; >+ s->schannel_required = schannel_required; >+ s->schannel_explicitly_set = explicit_opt != NULL; >+ >+ status = dcesrv_iface_state_store_conn(dce_call, >+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, >+ s); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ *_s = s; >+ return NT_STATUS_OK; >+} >+ >+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call, >+ struct dcesrv_netr_check_schannel_state *s, >+ const struct netlogon_creds_CredentialState *creds, >+ uint16_t opnum) >+{ >+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx; > int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, > "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); > int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, > "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); >+ TALLOC_CTX *frame = talloc_stackframe(); > unsigned int dbg_lvl = DBGLVL_DEBUG; > const char *opname = "<unknown>"; > const char *reason = "<unknown>"; >@@ -868,37 +950,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > opname = ndr_table_netlogon.calls[opnum].name; > } > >- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { >+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { > reason = "WITH SEALED"; >- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { >+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { > reason = "WITH SIGNED"; > } else { >- smb_panic("Schannel without SIGN/SEAL"); >+ reason = "WITH INVALID"; >+ dbg_lvl = DBGLVL_ERR; >+ s->result = NT_STATUS_INTERNAL_ERROR; > } > } else { > reason = "WITHOUT"; > } > >- /* >- * We don't use lpcfg_parm_bool(), as we >- * need the explicit_opt pointer in order to >- * adjust the debug messages. >- */ >- explicit_opt = lpcfg_get_parametric(lp_ctx, >- NULL, >- "server require schannel", >- creds->account_name); >- if (explicit_opt != NULL) { >- schannel_required = lp_bool(explicit_opt); >+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) { >+ if (!NT_STATUS_IS_OK(s->result)) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon): " >+ "%s request (opnum[%u]) %s schannel from " >+ "client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(s->result))); >+ TALLOC_FREE(frame); >+ return s->result; > } > >- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >- nt_status = NT_STATUS_OK; >+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ s->result = NT_STATUS_OK; > >- if (explicit_opt != NULL && !schannel_required) { >+ if (s->schannel_explicitly_set && !s->schannel_required) { > dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); >- } else if (!schannel_required) { >+ } else if (!s->schannel_required) { > dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } > >@@ -909,9 +997,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > opname, opnum, reason, > log_escape(frame, creds->account_name), > log_escape(frame, creds->computer_name), >- nt_errstr(nt_status))); >- >- if (explicit_opt != NULL && !schannel_required) { >+ nt_errstr(s->result))); >+ if (s->schannel_explicitly_set && !s->schannel_required) { > DEBUG(CVE_2020_1472_warn_level, ( > "CVE-2020-1472(ZeroLogon): " > "Option 'server require schannel:%s = no' not needed for '%s'!\n", >@@ -920,13 +1007,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > } > > TALLOC_FREE(frame); >- return nt_status; >+ return s->result; > } > >- if (schannel_required) { >- nt_status = NT_STATUS_ACCESS_DENIED; >+ if (s->schannel_required) { >+ s->result = NT_STATUS_ACCESS_DENIED; > >- if (explicit_opt != NULL) { >+ if (s->schannel_explicitly_set) { > dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); > } else { > dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); >@@ -939,8 +1026,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > opname, opnum, reason, > log_escape(frame, creds->account_name), > log_escape(frame, creds->computer_name), >- nt_errstr(nt_status))); >- if (explicit_opt != NULL) { >+ nt_errstr(s->result))); >+ if (s->schannel_explicitly_set) { > D_NOTICE("CVE-2020-1472(ZeroLogon): Option " > "'server require schannel:%s = yes' " > "rejects access for client.\n", >@@ -953,12 +1040,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > log_escape(frame, creds->account_name))); > } > TALLOC_FREE(frame); >- return nt_status; >+ return s->result; > } > >- nt_status = NT_STATUS_OK; >+ s->result = NT_STATUS_OK; > >- if (explicit_opt != NULL) { >+ if (s->schannel_explicitly_set) { > dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } else { > dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); >@@ -971,9 +1058,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > opname, opnum, reason, > log_escape(frame, creds->account_name), > log_escape(frame, creds->computer_name), >- nt_errstr(nt_status))); >+ nt_errstr(s->result))); > >- if (explicit_opt != NULL) { >+ if (s->schannel_explicitly_set) { > D_INFO("CVE-2020-1472(ZeroLogon): Option " > "'server require schannel:%s = no' " > "still needed for '%s'!\n", >@@ -996,6 +1083,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, > } > > TALLOC_FREE(frame); >+ return s->result; >+} >+ >+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call, >+ const struct netlogon_creds_CredentialState *creds, >+ enum dcerpc_AuthType auth_type, >+ enum dcerpc_AuthLevel auth_level, >+ uint16_t opnum) >+{ >+ struct dcesrv_netr_check_schannel_state *s = NULL; >+ NTSTATUS status; >+ >+ status = dcesrv_netr_check_schannel_get_state(dce_call, >+ creds, >+ auth_type, >+ auth_level, >+ &s); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ >+ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum); >+ if (!NT_STATUS_IS_OK(status)) { >+ return status; >+ } >+ > return NT_STATUS_OK; > } > >-- >2.34.1 > > >From 93e4e50d250a85c9b0308c3f899ab00f47f427df Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Fri, 25 Nov 2022 14:05:30 +0100 >Subject: [PATCH 27/29] CVE-2022-38023 s4:rpc_server/netlogon: implement > "server schannel require seal[:COMPUTERACCOUNT]" > >By default we'll now require schannel connections with >privacy/sealing/encryption. > >But we allow exceptions for specific computer/trust accounts. > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1) >--- > selftest/target/Samba4.pm | 28 ++ > source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++- > 2 files changed, 271 insertions(+), 1 deletion(-) > >diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm >index a1f29ebe3c65..389f2e75731a 100755 >--- a/selftest/target/Samba4.pm >+++ b/selftest/target/Samba4.pm >@@ -1654,9 +1654,23 @@ sub provision_ad_dc_ntvfs($$$) > server require schannel:schannel10\$ = no > server require schannel:schannel11\$ = no > server require schannel:torturetest\$ = no >+ server schannel require seal:schannel0\$ = no >+ server schannel require seal:schannel1\$ = no >+ server schannel require seal:schannel2\$ = no >+ server schannel require seal:schannel3\$ = no >+ server schannel require seal:schannel4\$ = no >+ server schannel require seal:schannel5\$ = no >+ server schannel require seal:schannel6\$ = no >+ server schannel require seal:schannel7\$ = no >+ server schannel require seal:schannel8\$ = no >+ server schannel require seal:schannel9\$ = no >+ server schannel require seal:schannel10\$ = no >+ server schannel require seal:schannel11\$ = no >+ server schannel require seal:torturetest\$ = no > > # needed for 'samba.tests.auth_log' tests > server require schannel:LOCALDC\$ = no >+ server schannel require seal:LOCALDC\$ = no > "; > push (@{$extra_provision_options}, "--use-ntvfs"); > my $ret = $self->provision($prefix, >@@ -2053,6 +2067,19 @@ sub provision_ad_dc($$$$$$$) > server require schannel:schannel10\$ = no > server require schannel:schannel11\$ = no > server require schannel:torturetest\$ = no >+ server schannel require seal:schannel0\$ = no >+ server schannel require seal:schannel1\$ = no >+ server schannel require seal:schannel2\$ = no >+ server schannel require seal:schannel3\$ = no >+ server schannel require seal:schannel4\$ = no >+ server schannel require seal:schannel5\$ = no >+ server schannel require seal:schannel6\$ = no >+ server schannel require seal:schannel7\$ = no >+ server schannel require seal:schannel8\$ = no >+ server schannel require seal:schannel9\$ = no >+ server schannel require seal:schannel10\$ = no >+ server schannel require seal:schannel11\$ = no >+ server schannel require seal:torturetest\$ = no > > auth event notification = true > dsdb event notification = true >@@ -2734,6 +2761,7 @@ sub setup_ad_dc_smb1 > > # needed for 'samba.tests.auth_log' tests > server require schannel:ADDCSMB1\$ = no >+ server schannel require seal:ADDCSMB1\$ = no > "; > return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com"); > } >diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c >index 5a911d65afa3..2d4e6a2d4c70 100644 >--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c >+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c >@@ -67,9 +67,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context > bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); > int schannel = lpcfg_server_schannel(lp_ctx); > bool schannel_global_required = (schannel == true); >+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); > static bool warned_global_nt4_once = false; > static bool warned_global_md5_once = false; > static bool warned_global_schannel_once = false; >+ static bool warned_global_seal_once = false; > > if (global_allow_nt4_crypto && !warned_global_nt4_once) { > /* >@@ -101,6 +103,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context > warned_global_schannel_once = true; > } > >+ if (!global_require_seal && !warned_global_seal_once) { >+ /* >+ * We want admins to notice their misconfiguration! >+ */ >+ D_ERR("CVE-2022-38023 (and others): " >+ "Please configure 'server schannel require seal = yes' (the default), " >+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); >+ warned_global_seal_once = true; >+ } >+ > return dcesrv_interface_bind_reject_connect(context, iface); > } > >@@ -852,6 +864,10 @@ struct dcesrv_netr_check_schannel_state { > bool schannel_required; > bool schannel_explicitly_set; > >+ bool seal_global_required; >+ bool seal_required; >+ bool seal_explicitly_set; >+ > NTSTATUS result; > }; > >@@ -866,6 +882,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d > bool schannel_global_required = (schannel == true); > bool schannel_required = schannel_global_required; > const char *explicit_opt = NULL; >+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); >+ bool require_seal = global_require_seal; >+ const char *explicit_seal_opt = NULL; > #define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1) > struct dcesrv_netr_check_schannel_state *s = NULL; > NTSTATUS status; >@@ -903,6 +922,19 @@ new_state: > s->auth_level = auth_level; > s->result = NT_STATUS_MORE_PROCESSING_REQUIRED; > >+ /* >+ * We don't use lpcfg_parm_bool(), as we >+ * need the explicit_opt pointer in order to >+ * adjust the debug messages. >+ */ >+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx, >+ NULL, >+ "server schannel require seal", >+ creds->account_name); >+ if (explicit_seal_opt != NULL) { >+ require_seal = lp_bool(explicit_seal_opt); >+ } >+ > /* > * We don't use lpcfg_parm_bool(), as we > * need the explicit_opt pointer in order to >@@ -920,6 +952,10 @@ new_state: > s->schannel_required = schannel_required; > s->schannel_explicitly_set = explicit_opt != NULL; > >+ s->seal_global_required = global_require_seal; >+ s->seal_required = require_seal; >+ s->seal_explicitly_set = explicit_seal_opt != NULL; >+ > status = dcesrv_iface_state_store_conn(dce_call, > DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC, > s); >@@ -941,6 +977,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); > int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, > "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); >+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); >+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL, >+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); > TALLOC_CTX *frame = talloc_stackframe(); > unsigned int dbg_lvl = DBGLVL_DEBUG; > const char *opname = "<unknown>"; >@@ -970,7 +1010,7 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > } > > DEBUG(dbg_lvl, ( >- "CVE-2020-1472(ZeroLogon): " >+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " > "%s request (opnum[%u]) %s schannel from " > "client_account[%s] client_computer_name[%s] %s\n", > opname, opnum, reason, >@@ -981,7 +1021,96 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > return s->result; > } > >+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL && >+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) >+ { >+ s->result = NT_STATUS_OK; >+ >+ if (s->schannel_explicitly_set && !s->schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); >+ } else if (!s->schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); >+ } >+ if (s->seal_explicitly_set && !s->seal_required) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); >+ } else if (!s->seal_required) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " >+ "%s request (opnum[%u]) %s schannel from " >+ "client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(s->result))); >+ >+ if (s->schannel_explicitly_set && !s->schannel_required) { >+ DEBUG(CVE_2020_1472_warn_level, ( >+ "CVE-2020-1472(ZeroLogon): " >+ "Option 'server require schannel:%s = no' not needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); >+ } >+ >+ if (s->seal_explicitly_set && !s->seal_required) { >+ DEBUG(CVE_2022_38023_warn_level, ( >+ "CVE-2022-38023: " >+ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); >+ } >+ >+ TALLOC_FREE(frame); >+ return s->result; >+ } >+ > if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { >+ if (s->seal_required) { >+ s->result = NT_STATUS_ACCESS_DENIED; >+ >+ if (s->seal_explicitly_set) { >+ dbg_lvl = DBGLVL_NOTICE; >+ } else { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); >+ } >+ if (s->schannel_explicitly_set && !s->schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2022-38023: " >+ "%s request (opnum[%u]) %s schannel from " >+ "from client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(s->result))); >+ if (s->seal_explicitly_set) { >+ D_NOTICE("CVE-2022-38023: Option " >+ "'server schannel require seal:%s = yes' " >+ "rejects access for client.\n", >+ log_escape(frame, creds->account_name)); >+ } else { >+ DEBUG(CVE_2020_1472_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server schannel require seal:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name))); >+ } >+ if (s->schannel_explicitly_set && !s->schannel_required) { >+ DEBUG(CVE_2020_1472_warn_level, ( >+ "CVE-2020-1472(ZeroLogon): Option " >+ "'server require schannel:%s = no' " >+ "not needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); >+ } >+ TALLOC_FREE(frame); >+ return s->result; >+ } >+ > s->result = NT_STATUS_OK; > > if (s->schannel_explicitly_set && !s->schannel_required) { >@@ -989,6 +1118,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > } else if (!s->schannel_required) { > dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } >+ if (s->seal_explicitly_set && !s->seal_required) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); >+ } else if (!s->seal_required) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); >+ } > > DEBUG(dbg_lvl, ( > "CVE-2020-1472(ZeroLogon): " >@@ -1005,11 +1139,81 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > log_escape(frame, creds->account_name), > log_escape(frame, creds->computer_name))); > } >+ if (s->seal_explicitly_set && !s->seal_required) { >+ D_INFO("CVE-2022-38023: " >+ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); >+ } else if (!s->seal_required) { >+ /* >+ * admins should set >+ * server schannel require seal:COMPUTER$ = no >+ * in order to avoid the level 0 messages. >+ * Over time they can switch the global value >+ * to be strict. >+ */ >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: " >+ "Please use 'server schannel require seal:%s = no' " >+ "for '%s' to avoid this warning!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); >+ } > > TALLOC_FREE(frame); > return s->result; > } > >+ if (s->seal_required) { >+ s->result = NT_STATUS_ACCESS_DENIED; >+ >+ if (s->seal_explicitly_set) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); >+ } else { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); >+ } >+ if (!s->schannel_explicitly_set) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); >+ } else if (s->schannel_required) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); >+ } >+ >+ DEBUG(dbg_lvl, ( >+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " >+ "%s request (opnum[%u]) %s schannel from " >+ "from client_account[%s] client_computer_name[%s] %s\n", >+ opname, opnum, reason, >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name), >+ nt_errstr(s->result))); >+ if (s->seal_explicitly_set) { >+ D_NOTICE("CVE-2022-38023: Option " >+ "'server schannel require seal:%s = yes' " >+ "rejects access for client.\n", >+ log_escape(frame, creds->account_name)); >+ } else { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server schannel require seal:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name))); >+ } >+ if (!s->schannel_explicitly_set) { >+ DEBUG(CVE_2020_1472_error_level, ( >+ "CVE-2020-1472(ZeroLogon): Check if option " >+ "'server require schannel:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name))); >+ } else if (s->schannel_required) { >+ D_NOTICE("CVE-2022-38023: Option " >+ "'server require schannel:%s = yes' " >+ "also rejects access for client.\n", >+ log_escape(frame, creds->account_name)); >+ } >+ TALLOC_FREE(frame); >+ return s->result; >+ } >+ > if (s->schannel_required) { > s->result = NT_STATUS_ACCESS_DENIED; > >@@ -1018,6 +1222,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > } else { > dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); > } >+ if (!s->seal_explicitly_set) { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); >+ } > > DEBUG(dbg_lvl, ( > "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " >@@ -1039,12 +1246,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > "might be needed for a legacy client.\n", > log_escape(frame, creds->account_name))); > } >+ if (!s->seal_explicitly_set) { >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Check if option " >+ "'server schannel require seal:%s = no' " >+ "might be needed for a legacy client.\n", >+ log_escape(frame, creds->account_name))); >+ } > TALLOC_FREE(frame); > return s->result; > } > > s->result = NT_STATUS_OK; > >+ if (s->seal_explicitly_set) { >+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); >+ } else { >+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); >+ } >+ > if (s->schannel_explicitly_set) { > dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); > } else { >@@ -1060,6 +1280,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca > log_escape(frame, creds->computer_name), > nt_errstr(s->result))); > >+ if (s->seal_explicitly_set) { >+ D_INFO("CVE-2022-38023: Option " >+ "'server schannel require seal:%s = no' " >+ "still needed for '%s'!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name)); >+ } else { >+ /* >+ * admins should set >+ * server schannel require seal:COMPUTER$ = no >+ * in order to avoid the level 0 messages. >+ * Over time they can switch the global value >+ * to be strict. >+ */ >+ DEBUG(CVE_2022_38023_error_level, ( >+ "CVE-2022-38023: Please use " >+ "'server schannel require seal:%s = no' " >+ "for '%s' to avoid this warning!\n", >+ log_escape(frame, creds->account_name), >+ log_escape(frame, creds->computer_name))); >+ } >+ > if (s->schannel_explicitly_set) { > D_INFO("CVE-2020-1472(ZeroLogon): Option " > "'server require schannel:%s = no' " >-- >2.34.1 > > >From 28ac3faa51c66b005a90c527393fa7c2d43d4c31 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Wed, 30 Nov 2022 15:13:47 +0100 >Subject: [PATCH 28/29] CVE-2022-38023 testparm: warn about server/client > schannel != yes > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e) >--- > source3/utils/testparm.c | 20 +++++++++++++++++--- > 1 file changed, 17 insertions(+), 3 deletions(-) > >diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c >index 58ba46bc15fb..dd8acb58ff71 100644 >--- a/source3/utils/testparm.c >+++ b/source3/utils/testparm.c >@@ -598,11 +598,25 @@ static int do_global_checks(void) > ret = 1; > } > >- if (!lp_server_schannel()) { >+ if (lp_server_schannel() != true) { /* can be 'auto' */ > fprintf(stderr, >- "WARNING: You have configured 'server schannel = no'. " >+ "WARNING: You have not configured " >+ "'server schannel = yes' (the default). " > "Your server is vulernable to \"ZeroLogon\" " >- "(CVE-2020-1472)\n\n"); >+ "(CVE-2020-1472)\n" >+ "If required use individual " >+ "'server require schannel:COMPUTERACCOUNT$ = no' " >+ "options\n\n"); >+ } >+ if (lp_client_schannel() != true) { /* can be 'auto' */ >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'client schannel = yes' (the default). " >+ "Your server is vulernable to \"ZeroLogon\" " >+ "(CVE-2020-1472)\n" >+ "If required use individual " >+ "'client schannel:NETBIOSDOMAIN = no' " >+ "options\n\n"); > } > > return ret; >-- >2.34.1 > > >From d10dfa85819750f4665dc5fa974f35ce7871acf8 Mon Sep 17 00:00:00 2001 >From: Stefan Metzmacher <metze@samba.org> >Date: Tue, 6 Dec 2022 13:36:17 +0100 >Subject: [PATCH 29/29] CVE-2022-38023 testparm: warn about unsecure schannel > related options > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 > >Signed-off-by: Stefan Metzmacher <metze@samba.org> >Reviewed-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Ralph Boehme <slow@samba.org> >(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb) >--- > source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++ > 1 file changed, 61 insertions(+) > >diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c >index dd8acb58ff71..bda8f9e1bfba 100644 >--- a/source3/utils/testparm.c >+++ b/source3/utils/testparm.c >@@ -608,6 +608,37 @@ static int do_global_checks(void) > "'server require schannel:COMPUTERACCOUNT$ = no' " > "options\n\n"); > } >+ if (lp_allow_nt4_crypto()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'allow nt4 crypto = no' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023 and others!\n" >+ "If required use individual " >+ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' " >+ "options\n\n"); >+ } >+ if (!lp_reject_md5_clients()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'reject md5 clients = yes' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023!\n" >+ "If required use individual " >+ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' " >+ "options\n\n"); >+ } >+ if (!lp_server_schannel_require_seal()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'server schannel require seal = yes' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023!\n" >+ "If required use individual " >+ "'server schannel require seal:COMPUTERACCOUNT$ = no' " >+ "options\n\n"); >+ } >+ > if (lp_client_schannel() != true) { /* can be 'auto' */ > fprintf(stderr, > "WARNING: You have not configured " >@@ -618,6 +649,36 @@ static int do_global_checks(void) > "'client schannel:NETBIOSDOMAIN = no' " > "options\n\n"); > } >+ if (!lp_reject_md5_servers()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'reject md5 servers = yes' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023\n" >+ "If required use individual " >+ "'reject md5 servers:NETBIOSDOMAIN = no' " >+ "options\n\n"); >+ } >+ if (!lp_require_strong_key()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'require strong key = yes' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023\n" >+ "If required use individual " >+ "'require strong key:NETBIOSDOMAIN = no' " >+ "options\n\n"); >+ } >+ if (!lp_winbind_sealed_pipes()) { >+ fprintf(stderr, >+ "WARNING: You have not configured " >+ "'winbind sealed pipes = yes' (the default). " >+ "Your server is vulernable to " >+ "CVE-2022-38023\n" >+ "If required use individual " >+ "'winbind sealed pipes:NETBIOSDOMAIN = no' " >+ "options\n\n"); >+ } > > return ret; > } >-- >2.34.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review?
(
abartlet
)
bbaumbach
:
review+
metze
:
ci-passed+
Actions:
View
Attachments on
bug 15240
:
17652
|
17671
|
17684
|
17692
|
17693
|
17694
| 17698 |
17705
|
17726
|
17727
|
17728
|
17736