The Samba-Bugzilla – Attachment 17809 Details for
Bug 15315
CVE-2023-0922 [SECURITY] Samba AD DC admin tool samba-tool sends passwords in cleartext
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch for master v4
CVE-2023-0922-samba-tool-sends-cleartext-password-sec-only-master-v4.patch (text/plain), 4.34 KB, created by
Andrew Bartlett
on 2023-03-13 22:00:05 UTC
(
hide
)
Description:
Patch for master v4
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-03-13 22:00:05 UTC
Size:
4.34 KB
patch
obsolete
>From faa7babcd8db9ef14398848d0c398578d1a79d85 Mon Sep 17 00:00:00 2001 >From: Rob van der Linde <rob@catalyst.net.nz> >Date: Mon, 27 Feb 2023 14:06:23 +1300 >Subject: [PATCH] CVE-2023-0614: set default ldap client sasl wrapping to seal > >Signed-off-by: Rob van der Linde <rob@catalyst.net.nz> >Signed-off-by: Andrew Bartlett <abartlet@samba.org> >Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> >--- > .../ldap/clientldapsaslwrapping.xml | 27 +++++++++---------- > lib/param/loadparm.c | 2 +- > python/samba/tests/auth_log.py | 2 +- > source3/param/loadparm.c | 2 +- > 4 files changed, 16 insertions(+), 17 deletions(-) > >diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml >index 3152f0682dd..21bd2090057 100644 >--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml >+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml >@@ -18,25 +18,24 @@ > </para> > > <para> >- This option is needed in the case of Domain Controllers enforcing >- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher). >- LDAP sign and seal can be controlled with the registry key >- "<literal>HKLM\System\CurrentControlSet\Services\</literal> >- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>" >- on the Windows server side. >- </para> >+ This option is needed firstly to secure the privacy of >+ administrative connections from <command>samba-tool</command>, >+ including in particular new or reset passwords for users. For >+ this reason the default is <emphasis>seal</emphasis>.</para> > >- <para> >- Depending on the used KRB5 library (MIT and older Heimdal versions) >- it is possible that the message "integrity only" is not supported. >- In this case, <emphasis>sign</emphasis> is just an alias for >- <emphasis>seal</emphasis>. >+ <para>Additionally, <command>winbindd</command> and the >+ <command>net</command> tool can use LDAP to communicate with >+ Domain Controllers, so this option also controls the level of >+ privacy for those connections. All supported AD DC versions >+ will enforce the usage of at least signed LDAP connections by >+ default, so a value of at least <emphasis>sign</emphasis> is >+ required in practice. > </para> > > <para> >- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time >+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time > with the KDC in the case of using <emphasis>Kerberos</emphasis>. > </para> > </description> >-<value type="default">sign</value> >+<value type="default">seal</value> > </samba:parameter> >diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c >index 6ab7fa89db7..16cb0d47f31 100644 >--- a/lib/param/loadparm.c >+++ b/lib/param/loadparm.c >@@ -2990,7 +2990,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) > > lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10"); > >- lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign"); >+ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal"); > > lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios"); > >diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py >index d166b93d90a..8f9f487f82a 100644 >--- a/python/samba/tests/auth_log.py >+++ b/python/samba/tests/auth_log.py >@@ -470,7 +470,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase): > def isLastExpectedMessage(msg): > return (msg["type"] == "Authorization" and > msg["Authorization"]["serviceDescription"] == "LDAP" and >- msg["Authorization"]["transportProtection"] == "SIGN" and >+ msg["Authorization"]["transportProtection"] == "SEAL" and > msg["Authorization"]["authType"] == "krb5") > > self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"], >diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c >index 05a5ae20abe..12718ced9e7 100644 >--- a/source3/param/loadparm.c >+++ b/source3/param/loadparm.c >@@ -756,7 +756,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals) > Globals.ldap_debug_level = 0; > Globals.ldap_debug_threshold = 10; > >- Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN; >+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL; > > Globals.ldap_server_require_strong_auth = > LDAP_SERVER_REQUIRE_STRONG_AUTH_YES; >-- >2.25.1 >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
ci-passed+
Actions:
View
Attachments on
bug 15315
:
17772
|
17777
|
17779
|
17781
|
17782
|
17783
|
17809
|
17810
|
17811
|
17815
|
17829
|
17830
|
17831
|
17832