packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967

Browse Source
This commit is contained in:
xinghe 2022-12-29 07:17:40 +00:00
parent 3b8ae13ab8
commit 10d864788d
85 changed files with 22551 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
backport-0001-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,43 @@
From f97d7a6d2c2d26fce15aeacfcf69b416ca54550d Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 27 Oct 2022 08:44:58 +0200
Subject: [PATCH 01/54] CVE-2022-37966 s3:param: Fix old-style function
definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 80dc3bc2b80634ab7c6c71fa1f9b94f0216322b2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/param/loadparm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 9bb5f4cf8cb3..7e20acbf8b96 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -2148,7 +2148,7 @@ struct loadparm_service *lp_servicebynum(int snum)
return ServicePtrs[snum];
}
-struct loadparm_service *lp_default_loadparm_service()
+struct loadparm_service *lp_default_loadparm_service(void)
{
return &sDefault;
}
@@ -4808,7 +4808,7 @@ unsigned int * get_flags(void)
return flags_list;
}
-enum samba_weak_crypto lp_weak_crypto()
+enum samba_weak_crypto lp_weak_crypto(void)
{
if (Globals.weak_crypto == SAMBA_WEAK_CRYPTO_UNKNOWN) {
Globals.weak_crypto = SAMBA_WEAK_CRYPTO_DISALLOWED;
--
2.34.1

76
backport-0001-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,76 @@
From 0c6aabcc81e2b5fc09e69d2718f0e51a282b3420 Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Dec 2022 16:00:36 +0100
Subject: [PATCH 01/30] CVE-2022-38023 docs-xml: improve wording for several
options: "takes precedence" -> "overrides"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8ec62694a94c346e6ba8f3144a417c9984a1c8b9)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 2 +-
docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 2 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
4 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 41684ef10805..0bb9f6f6c8ec 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -10,7 +10,7 @@
<para>You can set this to yes if all domain members support aes.
This will prevent downgrade attacks.</para>
- <para>This option takes precedence to the 'allow nt4 crypto' option.</para>
+ <para>This option overrides the 'allow nt4 crypto' option.</para>
</description>
<value type="default">no</value>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index cd2543113f3e..bd9fea84a7e7 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -59,7 +59,7 @@
See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
</para>
- <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para>
+ <para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
<programlisting>
server require schannel:LEGACYCOMPUTER1$ = no
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 37656293aa47..151b4676c57b 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -15,7 +15,7 @@
<para>The behavior can be controlled per netbios domain
by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
- <para>This option takes precedence to the <smbconfoption name="require strong key"/> option.</para>
+ <para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">no</value>
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
index 4db62bfb02db..b17620ec8f1d 100644
--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -19,7 +19,7 @@
<para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
- <para>This option takes precedence to the <smbconfoption name="client schannel"/> option.</para>
+ <para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
</description>
<value type="default">yes</value>
--
2.34.1

34
backport-0002-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,34 @@
From 6b49ab1c7e8b32644423fafe1ba59d2ed9db15c2 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 27 Oct 2022 08:46:39 +0200
Subject: [PATCH 02/54] CVE-2022-37966 s3:client: Fix old-style function
definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit 81f4335dfb847c041bfd3d6110fc8f1d5741d41f)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/client/clitar.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/client/clitar.c b/source3/client/clitar.c
index d62b53d2b170..a5c7df9c869e 100644
--- a/source3/client/clitar.c
+++ b/source3/client/clitar.c
@@ -218,7 +218,7 @@ static NTSTATUS is_subpath(const char *sub, const char *full,
/*
* tar_get_ctx - retrieve global tar context handle
*/
-struct tar *tar_get_ctx()
+struct tar *tar_get_ctx(void)
{
return &tar_ctx;
}
--
2.34.1

90
backport-0002-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,90 @@
From 99c61592d4c2d2dbdf50765b085ece40c2b3099c Mon Sep 17 00:00:00 2001
From: Ralph Boehme <slow@samba.org>
Date: Tue, 6 Dec 2022 16:05:26 +0100
Subject: [PATCH 02/30] CVE-2022-38023 docs-xml: improve wording for several
options: "yields precedence" -> "is over-riden"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 830e865ba5648f6520bc552ffd71b61f754b8251)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/allownt4crypto.xml | 2 +-
docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml | 2 +-
docs-xml/smbdotconf/security/clientschannel.xml | 2 +-
docs-xml/smbdotconf/security/serverschannel.xml | 2 +-
docs-xml/smbdotconf/winbind/requirestrongkey.xml | 2 +-
5 files changed, 5 insertions(+), 5 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 03dc8fa93f72..06afcef73b1b 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -18,7 +18,7 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option yields precedence to the 'reject md5 clients' option.</para>
+ <para>This option is over-ridden by the 'reject md5 clients' option.</para>
</description>
<value type="default">no</value>
diff --git a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
index 03531adbfb36..8bccab391cc2 100644
--- a/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
+++ b/docs-xml/smbdotconf/security/allowdcerpcauthlevelconnect.xml
@@ -15,7 +15,7 @@
<para>The behavior can be overwritten per interface name (e.g. lsarpc, netlogon, samr, srvsvc,
winreg, wkssvc ...) by using 'allow dcerpc auth level connect:interface = yes' as option.</para>
- <para>This option yields precedence to the implementation specific restrictions.
+ <para>This option is over-ridden by the implementation specific restrictions.
E.g. the drsuapi and backupkey protocols require DCERPC_AUTH_LEVEL_PRIVACY.
The dnsserver protocol requires DCERPC_AUTH_LEVEL_INTEGRITY.
</para>
diff --git a/docs-xml/smbdotconf/security/clientschannel.xml b/docs-xml/smbdotconf/security/clientschannel.xml
index 5b07da95050c..d124ad481818 100644
--- a/docs-xml/smbdotconf/security/clientschannel.xml
+++ b/docs-xml/smbdotconf/security/clientschannel.xml
@@ -23,7 +23,7 @@
<para>Note that for active directory domains this is hardcoded to
<smbconfoption name="client schannel">yes</smbconfoption>.</para>
- <para>This option yields precedence to the <smbconfoption name="require strong key"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="require strong key"/> option.</para>
</description>
<value type="default">yes</value>
<value type="example">auto</value>
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index bd9fea84a7e7..394ffdc36fbd 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -23,7 +23,7 @@
<para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
</para>
- <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
</description>
diff --git a/docs-xml/smbdotconf/winbind/requirestrongkey.xml b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
index b17620ec8f1d..9c1c1d7af148 100644
--- a/docs-xml/smbdotconf/winbind/requirestrongkey.xml
+++ b/docs-xml/smbdotconf/winbind/requirestrongkey.xml
@@ -17,7 +17,7 @@
<para>Note for active directory domain this option is hardcoded to 'yes'</para>
- <para>This option yields precedence to the <smbconfoption name="reject md5 servers"/> option.</para>
+ <para>This option is over-ridden by the <smbconfoption name="reject md5 servers"/> option.</para>
<para>This option overrides the <smbconfoption name="client schannel"/> option.</para>
</description>
--
2.34.1

79
backport-0003-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,79 @@
From 82b79af664af50d3dc52b5785c4febd82ed317c3 Mon Sep 17 00:00:00 2001
From: Andreas Schneider <asn@samba.org>
Date: Thu, 27 Oct 2022 08:47:32 +0200
Subject: [PATCH 03/54] CVE-2022-37966 s3:utils: Fix old-style function
definition
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
(cherry picked from commit b787692b5e915031d4653bf375995320ed1aca07)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/utils/ntlm_auth.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/source3/utils/ntlm_auth.c b/source3/utils/ntlm_auth.c
index 7d17e33c9fe8..1306951c2a8d 100644
--- a/source3/utils/ntlm_auth.c
+++ b/source3/utils/ntlm_auth.c
@@ -367,7 +367,7 @@ const char *get_winbind_netbios_name(void)
}
-DATA_BLOB get_challenge(void)
+DATA_BLOB get_challenge(void)
{
static DATA_BLOB chal;
if (opt_challenge.length)
@@ -443,7 +443,7 @@ static bool get_require_membership_sid(void) {
* need to contact trusted domain
*/
-int get_pam_winbind_config()
+int get_pam_winbind_config(void)
{
int ctrl = 0;
struct tiniparser_dictionary *d = NULL;
@@ -717,7 +717,7 @@ static NTSTATUS contact_winbind_change_pswd_auth_crap(const char *username,
nt_status = (NT_STATUS(response.data.auth.nt_status));
if (!NT_STATUS_IS_OK(nt_status))
{
- if (error_string)
+ if (error_string)
*error_string = smb_xstrdup(response.data.auth.error_string);
winbindd_free_response(&response);
return nt_status;
@@ -867,7 +867,7 @@ done:
/**
- * Return the challenge as determined by the authentication subsystem
+ * Return the challenge as determined by the authentication subsystem
* @return an 8 byte random challenge
*/
@@ -875,7 +875,7 @@ static NTSTATUS ntlm_auth_get_challenge(struct auth4_context *auth_ctx,
uint8_t chal[8])
{
if (auth_ctx->challenge.data.length == 8) {
- DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n",
+ DEBUG(5, ("auth_get_challenge: returning previous challenge by module %s (normal)\n",
auth_ctx->challenge.set_by));
memcpy(chal, auth_ctx->challenge.data.data, 8);
return NT_STATUS_OK;
@@ -1941,7 +1941,7 @@ static void manage_ntlm_server_1_request(enum stdio_helper_mode stdio_helper_mod
printf("Authenticated: Yes\n");
- if (ntlm_server_1_lm_session_key
+ if (ntlm_server_1_lm_session_key
&& (!all_zero(lm_key,
sizeof(lm_key)))) {
hex_lm_key = hex_encode_talloc(NULL,
--
2.34.1

77
backport-0003-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,77 @@
From 7a08094b4532fb17161dc4c8d50425226becd528 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:46:59 +0100
Subject: [PATCH 03/30] CVE-2022-38023 libcli/auth: pass lp_ctx to
netlogon_creds_cli_set_global_db()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 992f39a2c8a58301ceeb965f401e29cd64c5a209)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
libcli/auth/netlogon_creds_cli.c | 3 ++-
libcli/auth/netlogon_creds_cli.h | 2 +-
source3/rpc_client/cli_netlogon.c | 2 +-
source3/utils/destroy_netlogon_creds_cli.c | 2 +-
4 files changed, 5 insertions(+), 4 deletions(-)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 716a565128dd..a31de47551d5 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -202,7 +202,8 @@ static NTSTATUS netlogon_creds_cli_context_common(
static struct db_context *netlogon_creds_cli_global_db;
-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db)
+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
+ struct db_context **db)
{
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 6f40a46aa0a6..d10197c2d2af 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -31,7 +31,7 @@ struct messaging_context;
struct dcerpc_binding_handle;
struct db_context;
-NTSTATUS netlogon_creds_cli_set_global_db(struct db_context **db);
+NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struct db_context **db);
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
void netlogon_creds_cli_close_global_db(void);
diff --git a/source3/rpc_client/cli_netlogon.c b/source3/rpc_client/cli_netlogon.c
index da445122dbdc..762802d32780 100644
--- a/source3/rpc_client/cli_netlogon.c
+++ b/source3/rpc_client/cli_netlogon.c
@@ -76,7 +76,7 @@ NTSTATUS rpccli_pre_open_netlogon_creds(void)
return NT_STATUS_NO_MEMORY;
}
- status = netlogon_creds_cli_set_global_db(&global_db);
+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
TALLOC_FREE(frame);
if (!NT_STATUS_IS_OK(status)) {
return status;
diff --git a/source3/utils/destroy_netlogon_creds_cli.c b/source3/utils/destroy_netlogon_creds_cli.c
index f28cad527dfb..a2e1952e434c 100644
--- a/source3/utils/destroy_netlogon_creds_cli.c
+++ b/source3/utils/destroy_netlogon_creds_cli.c
@@ -82,7 +82,7 @@ int main(int argc, const char *argv[])
goto done;
}
- status = netlogon_creds_cli_set_global_db(&global_db);
+ status = netlogon_creds_cli_set_global_db(lp_ctx, &global_db);
if (!NT_STATUS_IS_OK(status)) {
fprintf(stderr,
"netlogon_creds_cli_set_global_db failed: %s\n",
--
2.34.1

69
backport-0004-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,69 @@
From 9c05b1bbae715c6a59d62fd3798f7c062e74ed9b Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Thu, 20 Oct 2022 12:36:44 +1300
Subject: [PATCH 04/54] CVE-2022-37966 tests/krb5: Add test requesting a TGT
expiring post-2038
This demonstrates the behaviour of Windows 11 22H2 over Kerberos,
which changed to use a year 9999 date for a forever timetime in
tickets.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15197
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
Autobuild-User(master): Andrew Bartlett <abartlet@samba.org>
Autobuild-Date(master): Thu Oct 20 05:00:23 UTC 2022 on sn-devel-184
(cherry picked from commit 50cbdecf2e276e5f87b9c2d95fd3ca86d11a08e2)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/as_req_tests.py | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6a573947067f..6b3b5ad4a226 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,7 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
expected_cname=None, sname=None,
name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None,
- kdc_options=None):
+ kdc_options=None, till=None):
user_name = client_creds.get_username()
if client_account is None:
client_account = user_name
@@ -71,7 +71,8 @@ class AsReqBaseTest(KDCBaseTest):
expected_sname = sname
expected_salt = client_creds.get_salt()
- till = self.get_KerberosTime(offset=36000)
+ if till is None:
+ till = self.get_KerberosTime(offset=36000)
if etypes is None:
etypes = client_as_etypes
@@ -516,6 +517,14 @@ class AsReqKerberosTests(AsReqBaseTest):
sname=wrong_krbtgt_princ,
expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ # Test that we can make a request for a ticket expiring post-2038.
+ def test_future_till(self):
+ client_creds = self.get_client_creds()
+
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ till='99990913024805Z')
+
if __name__ == "__main__":
global_asn1_print = False
--
2.34.1

128
backport-0004-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,128 @@
From 5e3c1871c3c0869b1cf95ed9311df03e41a12f05 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:47:33 +0100
Subject: [PATCH 04/30] CVE-2022-38023 libcli/auth: add/use
netlogon_creds_cli_warn_options()
This warns the admin about insecure options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++
libcli/auth/netlogon_creds_cli.h | 2 +
2 files changed, 68 insertions(+)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index a31de47551d5..848d993a3c66 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db;
NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
struct db_context **db)
{
+ netlogon_creds_cli_warn_options(lp_ctx);
+
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_INVALID_PARAMETER_MIX;
}
@@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
struct db_context *global_db;
int hash_size, tdb_flags;
+ netlogon_creds_cli_warn_options(lp_ctx);
+
if (netlogon_creds_cli_global_db != NULL) {
return NT_STATUS_OK;
}
@@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void)
TALLOC_FREE(netlogon_creds_cli_global_db);
}
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
+{
+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
+ int global_client_schannel = lpcfg_client_schannel(lp_ctx);
+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+ static bool warned_global_reject_md5_servers = false;
+ static bool warned_global_require_strong_key = false;
+ static bool warned_global_client_schannel = false;
+ static bool warned_global_seal_secure_channel = false;
+ static int warned_global_pid = 0;
+ int current_pid = tevent_cached_getpid();
+
+ if (warned_global_pid != current_pid) {
+ warned_global_reject_md5_servers = false;
+ warned_global_require_strong_key = false;
+ warned_global_client_schannel = false;
+ warned_global_seal_secure_channel = false;
+ warned_global_pid = current_pid;
+ }
+
+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'reject md5 servers = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_reject_md5_servers = true;
+ }
+
+ if (!global_require_strong_key && !warned_global_require_strong_key) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'require strong key = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_require_strong_key = true;
+ }
+
+ if (global_client_schannel != true && !warned_global_client_schannel) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'client schannel = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_client_schannel = true;
+ }
+
+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'winbind sealed pipes = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_seal_secure_channel = true;
+ }
+}
+
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index d10197c2d2af..600242e1aea7 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
void netlogon_creds_cli_close_global_db(void);
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
+
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
struct messaging_context *msg_ctx,
const char *client_account,
--
2.34.1

44
backport-0005-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,44 @@
From 9e486cdac679dc5121db33e198e48f364ea28ff8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 21:31:37 +0100
Subject: [PATCH 05/54] CVE-2022-37966 docs-xml/smbdotconf: "kerberos
encryption types = legacy" should not be used
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit a4f6f51cbed53775cdfedc7eec2f28c7beb875cc)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../smbdotconf/security/kerberosencryptiontypes.xml | 12 +++---------
1 file changed, 3 insertions(+), 9 deletions(-)
diff --git a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
index 2c3c6c5d5fc6..a245af55f5f3 100644
--- a/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
+++ b/docs-xml/smbdotconf/security/kerberosencryptiontypes.xml
@@ -37,15 +37,9 @@
</para>
<para>When set to <constant>legacy</constant>, only RC4-HMAC-MD5
- is allowed. Avoiding AES this way has one a very specific use.
- Normally, the encryption type is negotiated between the peers.
- However, there is one scenario in which a Windows read-only domain
- controller (RODC) advertises AES encryption, but then proxies the
- request to a writeable DC which may not support AES encryption,
- leading to failure of the handshake. Setting this parameter to
- <constant>legacy</constant> would cause samba not to negotiate AES
- encryption. It is assumed of course that the weaker legacy
- encryption types are acceptable for the setup.
+ is allowed. AVOID using this option, because of
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-37966.html">CVE-2022-37966</ulink> see
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15237">https://bugzilla.samba.org/show_bug.cgi?id=15237</ulink>.
</para>
</description>
--
2.34.1

262
backport-0005-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,262 @@
From e741d4967b5b4ff3ec7eb558bc3d1668fde9fe35 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 16:16:05 +0100
Subject: [PATCH 05/30] CVE-2022-38023 s3:net: add and use
net_warn_member_options() helper
This makes sure domain member related 'net' commands print warnings
about unsecure smb.conf options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1fdf1d55a5dd550bdb16d037b5dc995c33c1a67a)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source3/utils/net.c | 6 ++++++
source3/utils/net_ads.c | 14 ++++++++++++++
source3/utils/net_dom.c | 2 ++
source3/utils/net_join.c | 2 ++
source3/utils/net_offlinejoin.c | 2 ++
source3/utils/net_proto.h | 2 ++
source3/utils/net_rpc.c | 10 ++++++++++
source3/utils/net_util.c | 14 ++++++++++++++
8 files changed, 52 insertions(+)
diff --git a/source3/utils/net.c b/source3/utils/net.c
index e1e14743c117..b96d7f5d9d48 100644
--- a/source3/utils/net.c
+++ b/source3/utils/net.c
@@ -85,6 +85,8 @@ enum netr_SchannelType get_sec_channel_type(const char *param)
static int net_changetrustpw(struct net_context *c, int argc, const char **argv)
{
+ net_warn_member_options();
+
if (net_ads_check_our_domain(c) == 0)
return net_ads_changetrustpw(c, argc, argv);
@@ -112,6 +114,8 @@ static int net_primarytrust_dumpinfo(struct net_context *c, int argc,
return 1;
}
+ net_warn_member_options();
+
if (c->opt_stdin) {
set_line_buffering(stdin);
set_line_buffering(stdout);
@@ -193,6 +197,8 @@ static int net_changesecretpw(struct net_context *c, int argc,
return 1;
}
+ net_warn_member_options();
+
if(c->opt_force) {
struct secrets_domain_info1 *info = NULL;
struct secrets_domain_info1_change *prev = NULL;
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 9b2cc50aa31f..7859225a03b7 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -1414,6 +1414,8 @@ static int net_ads_status(struct net_context *c, int argc, const char **argv)
return -1;
}
+ net_warn_member_options();
+
status = ads_startup(c, true, tmp_ctx, &ads);
if (!ADS_ERR_OK(status)) {
goto out;
@@ -1556,6 +1558,8 @@ static ADS_STATUS net_ads_join_ok(struct net_context *c)
return ADS_ERROR_NT(NT_STATUS_ACCESS_DENIED);
}
+ net_warn_member_options();
+
net_use_krb_machine_account(c);
get_dc_name(lp_workgroup(), lp_realm(), dc_name, &dcip);
@@ -1588,6 +1592,8 @@ int net_ads_testjoin(struct net_context *c, int argc, const char **argv)
return -1;
}
+ net_warn_member_options();
+
/* Display success or failure */
status = net_ads_join_ok(c);
if (!ADS_ERR_OK(status)) {
@@ -1685,6 +1691,8 @@ int net_ads_join(struct net_context *c, int argc, const char **argv)
return net_ads_join_usage(c, argc, argv);
}
+ net_warn_member_options();
+
if (!modify_config) {
werr = check_ads_config();
if (!W_ERROR_IS_OK(werr)) {
@@ -2659,6 +2667,8 @@ int net_ads_changetrustpw(struct net_context *c, int argc, const char **argv)
goto out;
}
+ net_warn_member_options();
+
net_use_krb_machine_account(c);
use_in_memory_ccache();
@@ -2961,6 +2971,8 @@ static int net_ads_keytab_add(struct net_context *c,
return -1;
}
+ net_warn_member_options();
+
d_printf(_("Processing principals to add...\n"));
if (!c->opt_user_specified && c->opt_password == NULL) {
@@ -3011,6 +3023,8 @@ static int net_ads_keytab_create(struct net_context *c, int argc, const char **a
return -1;
}
+ net_warn_member_options();
+
if (!c->opt_user_specified && c->opt_password == NULL) {
net_use_krb_machine_account(c);
}
diff --git a/source3/utils/net_dom.c b/source3/utils/net_dom.c
index 13e65a933142..4b48e1566bc8 100644
--- a/source3/utils/net_dom.c
+++ b/source3/utils/net_dom.c
@@ -154,6 +154,8 @@ static int net_dom_join(struct net_context *c, int argc, const char **argv)
return net_dom_usage(c, argc, argv);
}
+ net_warn_member_options();
+
if (c->opt_host) {
server_name = c->opt_host;
}
diff --git a/source3/utils/net_join.c b/source3/utils/net_join.c
index 1493dff74d7b..f67f08f79a81 100644
--- a/source3/utils/net_join.c
+++ b/source3/utils/net_join.c
@@ -39,6 +39,8 @@ int net_join(struct net_context *c, int argc, const char **argv)
return 0;
}
+ net_warn_member_options();
+
if (net_ads_check_our_domain(c) == 0) {
if (net_ads_join(c, argc, argv) == 0)
return 0;
diff --git a/source3/utils/net_offlinejoin.c b/source3/utils/net_offlinejoin.c
index 03e5df0eace9..0cfd5fdfe235 100644
--- a/source3/utils/net_offlinejoin.c
+++ b/source3/utils/net_offlinejoin.c
@@ -49,6 +49,8 @@ int net_offlinejoin(struct net_context *c, int argc, const char **argv)
return -1;
}
+ net_warn_member_options();
+
status = libnetapi_net_init(&c->netapi_ctx);
if (status != 0) {
return -1;
diff --git a/source3/utils/net_proto.h b/source3/utils/net_proto.h
index 1cc8fdf35afe..fe6b5dd9b84f 100644
--- a/source3/utils/net_proto.h
+++ b/source3/utils/net_proto.h
@@ -448,6 +448,8 @@ int net_run_function(struct net_context *c, int argc, const char **argv,
const char *whoami, struct functable *table);
void net_display_usage_from_functable(struct functable *table);
+void net_warn_member_options(void);
+
const char *net_share_type_str(int num_type);
NTSTATUS net_scan_dc(struct net_context *c,
diff --git a/source3/utils/net_rpc.c b/source3/utils/net_rpc.c
index 97c0158d612f..16a541413d2e 100644
--- a/source3/utils/net_rpc.c
+++ b/source3/utils/net_rpc.c
@@ -371,6 +371,8 @@ static int net_rpc_oldjoin(struct net_context *c, int argc, const char **argv)
return 0;
}
+ net_warn_member_options();
+
mem_ctx = talloc_init("net_rpc_oldjoin");
if (!mem_ctx) {
return -1;
@@ -490,6 +492,8 @@ int net_rpc_testjoin(struct net_context *c, int argc, const char **argv)
return 0;
}
+ net_warn_member_options();
+
mem_ctx = talloc_init("net_rpc_testjoin");
if (!mem_ctx) {
return -1;
@@ -564,6 +568,8 @@ static int net_rpc_join_newstyle(struct net_context *c, int argc, const char **a
return 0;
}
+ net_warn_member_options();
+
mem_ctx = talloc_init("net_rpc_join_newstyle");
if (!mem_ctx) {
return -1;
@@ -685,6 +691,8 @@ int net_rpc_join(struct net_context *c, int argc, const char **argv)
return -1;
}
+ net_warn_member_options();
+
if (strlen(lp_netbios_name()) > 15) {
d_printf(_("Our netbios name can be at most 15 chars long, "
"\"%s\" is %u chars long\n"),
@@ -815,6 +823,8 @@ int net_rpc_info(struct net_context *c, int argc, const char **argv)
return 0;
}
+ net_warn_member_options();
+
return run_rpc_command(c, NULL, &ndr_table_samr,
NET_FLAGS_PDC, rpc_info_internals,
argc, argv);
diff --git a/source3/utils/net_util.c b/source3/utils/net_util.c
index 298d9a64dc0c..f3b7755063bf 100644
--- a/source3/utils/net_util.c
+++ b/source3/utils/net_util.c
@@ -31,6 +31,7 @@
#include "libsmb/libsmb.h"
#include "lib/param/param.h"
#include "auth/gensec/gensec.h"
+#include "libcli/auth/netlogon_creds_cli.h"
#include "lib/cmdline/cmdline.h"
NTSTATUS net_rpc_lookup_name(struct net_context *c,
@@ -478,6 +479,19 @@ void net_display_usage_from_functable(struct functable *table)
}
}
+void net_warn_member_options(void)
+{
+ TALLOC_CTX *frame = talloc_stackframe();
+ struct loadparm_context *lp_ctx = NULL;
+
+ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ if (lp_ctx != NULL) {
+ netlogon_creds_cli_warn_options(lp_ctx);
+ }
+
+ TALLOC_FREE(frame);
+}
+
const char *net_share_type_str(int num_type)
{
switch(num_type) {
--
2.34.1

40
backport-0006-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,40 @@
From 4257781a43a0a8c69b94031d1e2f99d422484985 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 21:36:23 +0100
Subject: [PATCH 06/54] CVE-2022-37966 testparm: warn about 'kerberos
encryption types = legacy'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c0c25cc0217b082c12330a8c47869c8428a20d0c)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/utils/testparm.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 121c2b7a5221..b975188094ca 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -680,6 +680,14 @@ static int do_global_checks(void)
"options\n\n");
}
+ if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
+ fprintf(stderr,
+ "WARNING: You have configured "
+ "'kerberos encryption types = legacy'. "
+ "Your server is vulernable to "
+ "CVE-2022-37966\n\n");
+ }
+
return ret;
}
--
2.34.1

103
backport-0006-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,103 @@
From 9fcde82de834cc8f9915c493911343775811b24c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:59:36 +0100
Subject: [PATCH 06/30] CVE-2022-38023 s3:winbindd: also allow per domain
"winbind sealed pipes:DOMAIN" and "require strong key:DOMAIN"
This avoids advising insecure defaults for the global options.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit d60828f6391307a59abaa02b72b6a8acf66b2fef)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source3/winbindd/winbindd_cm.c | 41 +++++++++++++++++++++++++++-------
1 file changed, 33 insertions(+), 8 deletions(-)
diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c
index 28316e10d72d..e774bf90511f 100644
--- a/source3/winbindd/winbindd_cm.c
+++ b/source3/winbindd/winbindd_cm.c
@@ -2457,6 +2457,8 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
bool retry = false; /* allow one retry attempt for expired session */
const char *remote_name = NULL;
const struct sockaddr_storage *remote_sockaddr = NULL;
+ bool sealed_pipes = true;
+ bool strong_key = true;
if (sid_check_is_our_sam(&domain->sid)) {
if (domain->rodc == false || need_rw_dc == false) {
@@ -2636,14 +2638,24 @@ retry:
anonymous:
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
/* Finally fall back to anonymous. */
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ if (sealed_pipes || strong_key) {
status = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make SAMR connection to domain %s "
"without connection level security, "
- "must set 'winbind sealed pipes = false' and "
- "'require strong key = false' to proceed: %s\n",
- domain->name, nt_errstr(status)));
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(status)));
goto done;
}
status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr,
@@ -2800,6 +2812,8 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx,
bool retry = false; /* allow one retry attempt for expired session */
const char *remote_name = NULL;
const struct sockaddr_storage *remote_sockaddr = NULL;
+ bool sealed_pipes = true;
+ bool strong_key = true;
retry:
result = init_dc_connection_rpc(domain, false);
@@ -2961,13 +2975,24 @@ retry:
goto done;
}
- if (lp_winbind_sealed_pipes() || lp_require_strong_key()) {
+ sealed_pipes = lp_winbind_sealed_pipes();
+ sealed_pipes = lp_parm_bool(-1, "winbind sealed pipes",
+ domain->name,
+ sealed_pipes);
+ strong_key = lp_require_strong_key();
+ strong_key = lp_parm_bool(-1, "require strong key",
+ domain->name,
+ strong_key);
+
+ /* Finally fall back to anonymous. */
+ if (sealed_pipes || strong_key) {
result = NT_STATUS_DOWNGRADE_DETECTED;
DEBUG(1, ("Unwilling to make LSA connection to domain %s "
"without connection level security, "
- "must set 'winbind sealed pipes = false' and "
- "'require strong key = false' to proceed: %s\n",
- domain->name, nt_errstr(result)));
+ "must set 'winbind sealed pipes:%s = false' and "
+ "'require strong key:%s = false' to proceed: %s\n",
+ domain->name, domain->name, domain->name,
+ nt_errstr(result)));
goto done;
}
--
2.34.1

65
backport-0007-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,65 @@
From b58a0f0b1f7cd327f666e03dbcce0fc19b18cd06 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 21:45:08 +0100
Subject: [PATCH 07/54] CVE-2022-37966 libcli/auth: let
netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
libcli/auth/netlogon_creds_cli.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 52df5ab12a63..fb53ee5a1df8 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -269,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
int global_client_schannel = lpcfg_client_schannel(lp_ctx);
bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+ int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx);
static bool warned_global_reject_md5_servers = false;
static bool warned_global_require_strong_key = false;
static bool warned_global_client_schannel = false;
static bool warned_global_seal_secure_channel = false;
+ static bool warned_global_kerberos_encryption_types = false;
static int warned_global_pid = 0;
int current_pid = tevent_cached_getpid();
@@ -281,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
warned_global_require_strong_key = false;
warned_global_client_schannel = false;
warned_global_seal_secure_channel = false;
+ warned_global_kerberos_encryption_types = false;
warned_global_pid = current_pid;
}
@@ -323,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_seal_secure_channel = true;
}
+
+ if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY &&
+ !warned_global_kerberos_encryption_types)
+ {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2022-37966: "
+ "Please void 'kerberos encryption types = legacy', "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15237\n");
+ warned_global_kerberos_encryption_types = true;
+ }
}
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
--
2.34.1

91
backport-0007-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,91 @@
From 2d4faaf6eb2cc2cb0c13f46f348e2710c8f9e3cf Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:22:23 +0100
Subject: [PATCH 07/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 1c6c1129905d0c7a60018e7bf0f17a0fd198a584)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/winbind/rejectmd5servers.xml | 7 +++++--
lib/param/loadparm.c | 1 +
libcli/auth/netlogon_creds_cli.c | 4 ++--
source3/param/loadparm.c | 1 +
4 files changed, 9 insertions(+), 4 deletions(-)
diff --git a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
index 151b4676c57b..3bc4eaf7b02e 100644
--- a/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
+++ b/docs-xml/smbdotconf/winbind/rejectmd5servers.xml
@@ -13,10 +13,13 @@
This will prevent downgrade attacks.</para>
<para>The behavior can be controlled per netbios domain
- by using 'reject md5 servers:NETBIOSDOMAIN = yes' as option.</para>
+ by using 'reject md5 servers:NETBIOSDOMAIN = no' as option.</para>
+
+ <para>The default changed from 'no' to 'yes, with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
<para>This option overrides the <smbconfoption name="require strong key"/> option.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index d8646120e6bd..10157c95bc16 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2669,6 +2669,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind sealed pipes", "True");
lpcfg_do_global_parameter(lp_ctx, "winbind scan trusted domains", "False");
lpcfg_do_global_parameter(lp_ctx, "require strong key", "True");
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 servers", "True");
lpcfg_do_global_parameter(lp_ctx, "winbindd socket directory", dyn_WINBINDD_SOCKET_DIR);
lpcfg_do_global_parameter(lp_ctx, "ntp signd socket directory", dyn_NTP_SIGND_SOCKET_DIR);
lpcfg_do_global_parameter_var(lp_ctx, "gpo update command", "%s/samba-gpupdate", dyn_SCRIPTSBINDIR);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 848d993a3c66..52df5ab12a63 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
const char *client_computer;
uint32_t proposed_flags;
uint32_t required_flags = 0;
- bool reject_md5_servers = false;
- bool require_strong_key = false;
+ bool reject_md5_servers = true;
+ bool require_strong_key = true;
int require_sign_or_seal = true;
bool seal_secure_channel = true;
enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 43838575f3bf..91bb3c08327b 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -666,6 +666,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.client_schannel = true;
Globals.winbind_sealed_pipes = true;
Globals.require_strong_key = true;
+ Globals.reject_md5_servers = true;
Globals.server_schannel = true;
Globals.read_raw = true;
Globals.write_raw = true;
--
2.34.1

72
backport-0008-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,72 @@
From cbd4f5b3650737c796f38c285fb37c61ecfe38b6 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 1 Nov 2022 12:34:57 +1300
Subject: [PATCH 08/54] CVE-2022-37966 selftest: Allow krb5 tests to run
against an IP by using the target_hostname binding string
This makes it easier to test against a server that is not accessible via DNS.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit c7cd6889177e8c705bb637172a60a5cf26734a3f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/drs_utils.py | 12 ++++++++++--
python/samba/tests/krb5/kdc_base_test.py | 3 ++-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/python/samba/drs_utils.py b/python/samba/drs_utils.py
index 6399e5f7fbcb..955d0f571f87 100644
--- a/python/samba/drs_utils.py
+++ b/python/samba/drs_utils.py
@@ -41,12 +41,13 @@ class drsException(Exception):
return "drsException: " + self.value
-def drsuapi_connect(server, lp, creds):
+def drsuapi_connect(server, lp, creds, ip=None):
"""Make a DRSUAPI connection to the server.
:param server: the name of the server to connect to
:param lp: a samba line parameter object
:param creds: credential used for the connection
+ :param ip: Forced target server name
:return: A tuple with the drsuapi bind object, the drsuapi handle
and the supported extensions.
:raise drsException: if the connection fails
@@ -55,7 +56,14 @@ def drsuapi_connect(server, lp, creds):
binding_options = "seal"
if lp.log_level() >= 9:
binding_options += ",print"
- binding_string = "ncacn_ip_tcp:%s[%s]" % (server, binding_options)
+
+ # Allow forcing the IP
+ if ip is not None:
+ binding_options += f",target_hostname={server}"
+ binding_string = f"ncacn_ip_tcp:{ip}[{binding_options}]"
+ else:
+ binding_string = "ncacn_ip_tcp:%s[%s]" % (server, binding_options)
+
try:
drsuapiBind = drsuapi.drsuapi(binding_string, lp, creds)
(drsuapiHandle, bindSupportedExtensions) = drs_DsBind(drsuapiBind)
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 0733c5c96752..adf67fe7241a 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -514,7 +514,8 @@ class KDCBaseTest(RawKerberosTest):
dns_hostname = samdb.host_dns_name()
(bind, handle, _) = drsuapi_connect(dns_hostname,
self.get_lp(),
- admin_creds)
+ admin_creds,
+ ip=self.dc_host)
req = drsuapi.DsGetNCChangesRequest8()
--
2.34.1

74
backport-0008-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,74 @@
From 3157a6b132873fe1a641f7382e0dffae81445af0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Dec 2022 10:56:29 +0100
Subject: [PATCH 08/30] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel
!= yes' warning to dcesrv_interface_netlogon_bind
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++--------
1 file changed, 15 insertions(+), 11 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 12ad78036d00..834e691bf90e 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -63,6 +63,21 @@
static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
const struct dcesrv_interface *iface)
{
+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+ int schannel = lpcfg_server_schannel(lp_ctx);
+ bool schannel_global_required = (schannel == true);
+ static bool warned_global_schannel_once = false;
+
+ if (!schannel_global_required && !warned_global_schannel_once) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ D_ERR("CVE-2020-1472(ZeroLogon): "
+ "Please configure 'server schannel = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
+ warned_global_schannel_once = true;
+ }
+
return dcesrv_interface_bind_reject_connect(context, iface);
}
@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
uint16_t opnum = dce_call->pkt.u.request.opnum;
const char *opname = "<unknown>";
- static bool warned_global_once = false;
if (opnum < ndr_table_netlogon.num_calls) {
opname = ndr_table_netlogon.calls[opnum].name;
@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
return NT_STATUS_ACCESS_DENIED;
}
- if (!schannel_global_required && !warned_global_once) {
- /*
- * We want admins to notice their misconfiguration!
- */
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "Please configure 'server schannel = yes', "
- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
- warned_global_once = true;
- }
-
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) WITH schannel from "
--
2.34.1

307
backport-0009-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,307 @@
From 495d539e79eeb971a62ef912cc65f1282523584a Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 26 Oct 2022 14:26:01 +1300
Subject: [PATCH 09/54] CVE-2022-37966 tests/krb5: Split out _tgs_req() into
base class
We will use it for testing our handling of encryption types.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 50e075d2db21e9f23d686684ea3df9454b6b560e)
[jsutton@samba.org Adapted to 4.17 version of function]
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/kdc_tgs_tests.py | 264 ++++++++++++-----------
1 file changed, 133 insertions(+), 131 deletions(-)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 83315f6879fc..f514e321fee1 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -58,7 +58,139 @@ global_asn1_print = False
global_hexdump = False
-class KdcTgsTests(KDCBaseTest):
+class KdcTgsBaseTests(KDCBaseTest):
+ def _tgs_req(self, tgt, expected_error, target_creds,
+ armor_tgt=None,
+ kdc_options='0',
+ expected_cname=None,
+ expected_sname=None,
+ additional_ticket=None,
+ generate_padata_fn=None,
+ sname=None,
+ srealm=None,
+ use_fast=False,
+ expect_claims=True,
+ expect_pac=True,
+ expect_pac_attrs=None,
+ expect_pac_attrs_pac_request=None,
+ expect_requester_sid=None,
+ expect_edata=False,
+ expected_sid=None,
+ expected_status=None):
+ if srealm is False:
+ srealm = None
+ elif srealm is None:
+ srealm = target_creds.get_realm()
+
+ if sname is False:
+ sname = None
+ if expected_sname is None:
+ expected_sname = self.get_krbtgt_sname()
+ else:
+ if sname is None:
+ target_name = target_creds.get_username()
+ if target_name == 'krbtgt':
+ sname = self.PrincipalName_create(
+ name_type=NT_SRV_INST,
+ names=[target_name, srealm])
+ else:
+ if target_name[-1] == '$':
+ target_name = target_name[:-1]
+ sname = self.PrincipalName_create(
+ name_type=NT_PRINCIPAL,
+ names=['host', target_name])
+
+ if expected_sname is None:
+ expected_sname = sname
+
+ if additional_ticket is not None:
+ additional_tickets = [additional_ticket.ticket]
+ decryption_key = additional_ticket.session_key
+ else:
+ additional_tickets = None
+ decryption_key = self.TicketDecryptionKey_from_creds(
+ target_creds)
+
+ subkey = self.RandomKey(tgt.session_key.etype)
+
+ if armor_tgt is not None:
+ armor_subkey = self.RandomKey(subkey.etype)
+ explicit_armor_key = self.generate_armor_key(armor_subkey,
+ armor_tgt.session_key)
+ armor_key = kcrypto.cf2(explicit_armor_key.key,
+ subkey.key,
+ b'explicitarmor',
+ b'tgsarmor')
+ armor_key = Krb5EncryptionKey(armor_key, None)
+
+ generate_fast_fn = self.generate_simple_fast
+ generate_fast_armor_fn = self.generate_ap_req
+
+ pac_options = '1' # claims support
+ else:
+ armor_subkey = None
+ armor_key = None
+ generate_fast_fn = None
+ generate_fast_armor_fn = None
+
+ pac_options = None
+
+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+
+ if expected_error:
+ check_error_fn = self.generic_check_kdc_error
+ check_rep_fn = None
+ else:
+ check_error_fn = None
+ check_rep_fn = self.generic_check_kdc_rep
+
+ if expected_cname is None:
+ expected_cname = tgt.cname
+
+ kdc_exchange_dict = self.tgs_exchange_dict(
+ expected_crealm=tgt.crealm,
+ expected_cname=expected_cname,
+ expected_srealm=srealm,
+ expected_sname=expected_sname,
+ ticket_decryption_key=decryption_key,
+ generate_padata_fn=generate_padata_fn,
+ generate_fast_fn=generate_fast_fn,
+ generate_fast_armor_fn=generate_fast_armor_fn,
+ check_error_fn=check_error_fn,
+ check_rep_fn=check_rep_fn,
+ check_kdc_private_fn=self.generic_check_kdc_private,
+ expected_error_mode=expected_error,
+ expected_status=expected_status,
+ tgt=tgt,
+ armor_key=armor_key,
+ armor_tgt=armor_tgt,
+ armor_subkey=armor_subkey,
+ pac_options=pac_options,
+ authenticator_subkey=subkey,
+ kdc_options=kdc_options,
+ expect_edata=expect_edata,
+ expect_pac=expect_pac,
+ expect_pac_attrs=expect_pac_attrs,
+ expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
+ expect_requester_sid=expect_requester_sid,
+ expected_sid=expected_sid,
+ expect_claims=expect_claims)
+
+ rep = self._generic_kdc_exchange(kdc_exchange_dict,
+ cname=None,
+ realm=srealm,
+ sname=sname,
+ etypes=etypes,
+ additional_tickets=additional_tickets)
+ if expected_error:
+ self.check_error_rep(rep, expected_error)
+ return None
+ else:
+ self.check_reply(rep, KRB_TGS_REP)
+ return kdc_exchange_dict['rep_ticket_creds']
+
+
+class KdcTgsTests(KdcTgsBaseTests):
def setUp(self):
super().setUp()
@@ -2694,136 +2826,6 @@ class KdcTgsTests(KDCBaseTest):
expected_sname=expected_sname,
expect_pac=expect_pac)
- def _tgs_req(self, tgt, expected_error, target_creds,
- armor_tgt=None,
- kdc_options='0',
- expected_cname=None,
- expected_sname=None,
- additional_ticket=None,
- generate_padata_fn=None,
- sname=None,
- srealm=None,
- use_fast=False,
- expect_claims=True,
- expect_pac=True,
- expect_pac_attrs=None,
- expect_pac_attrs_pac_request=None,
- expect_requester_sid=None,
- expect_edata=False,
- expected_sid=None,
- expected_status=None):
- if srealm is False:
- srealm = None
- elif srealm is None:
- srealm = target_creds.get_realm()
-
- if sname is False:
- sname = None
- if expected_sname is None:
- expected_sname = self.get_krbtgt_sname()
- else:
- if sname is None:
- target_name = target_creds.get_username()
- if target_name == 'krbtgt':
- sname = self.PrincipalName_create(
- name_type=NT_SRV_INST,
- names=[target_name, srealm])
- else:
- if target_name[-1] == '$':
- target_name = target_name[:-1]
- sname = self.PrincipalName_create(
- name_type=NT_PRINCIPAL,
- names=['host', target_name])
-
- if expected_sname is None:
- expected_sname = sname
-
- if additional_ticket is not None:
- additional_tickets = [additional_ticket.ticket]
- decryption_key = additional_ticket.session_key
- else:
- additional_tickets = None
- decryption_key = self.TicketDecryptionKey_from_creds(
- target_creds)
-
- subkey = self.RandomKey(tgt.session_key.etype)
-
- if armor_tgt is not None:
- armor_subkey = self.RandomKey(subkey.etype)
- explicit_armor_key = self.generate_armor_key(armor_subkey,
- armor_tgt.session_key)
- armor_key = kcrypto.cf2(explicit_armor_key.key,
- subkey.key,
- b'explicitarmor',
- b'tgsarmor')
- armor_key = Krb5EncryptionKey(armor_key, None)
-
- generate_fast_fn = self.generate_simple_fast
- generate_fast_armor_fn = self.generate_ap_req
-
- pac_options = '1' # claims support
- else:
- armor_subkey = None
- armor_key = None
- generate_fast_fn = None
- generate_fast_armor_fn = None
-
- pac_options = None
-
- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
-
- if expected_error:
- check_error_fn = self.generic_check_kdc_error
- check_rep_fn = None
- else:
- check_error_fn = None
- check_rep_fn = self.generic_check_kdc_rep
-
- if expected_cname is None:
- expected_cname = tgt.cname
-
- kdc_exchange_dict = self.tgs_exchange_dict(
- expected_crealm=tgt.crealm,
- expected_cname=expected_cname,
- expected_srealm=srealm,
- expected_sname=expected_sname,
- ticket_decryption_key=decryption_key,
- generate_padata_fn=generate_padata_fn,
- generate_fast_fn=generate_fast_fn,
- generate_fast_armor_fn=generate_fast_armor_fn,
- check_error_fn=check_error_fn,
- check_rep_fn=check_rep_fn,
- check_kdc_private_fn=self.generic_check_kdc_private,
- expected_error_mode=expected_error,
- expected_status=expected_status,
- tgt=tgt,
- armor_key=armor_key,
- armor_tgt=armor_tgt,
- armor_subkey=armor_subkey,
- pac_options=pac_options,
- authenticator_subkey=subkey,
- kdc_options=kdc_options,
- expect_edata=expect_edata,
- expect_pac=expect_pac,
- expect_pac_attrs=expect_pac_attrs,
- expect_pac_attrs_pac_request=expect_pac_attrs_pac_request,
- expect_requester_sid=expect_requester_sid,
- expected_sid=expected_sid,
- expect_claims=expect_claims)
-
- rep = self._generic_kdc_exchange(kdc_exchange_dict,
- cname=None,
- realm=srealm,
- sname=sname,
- etypes=etypes,
- additional_tickets=additional_tickets)
- if expected_error:
- self.check_error_rep(rep, expected_error)
- return None
- else:
- self.check_reply(rep, KRB_TGS_REP)
- return kdc_exchange_dict['rep_ticket_creds']
-
if __name__ == "__main__":
global_asn1_print = False
--
2.34.1

56
backport-0009-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,56 @@
From 28310ba1d9288ba7f4e58c90f591bb9ca0e2350e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2022 14:03:50 +0100
Subject: [PATCH 09/30] CVE-2022-38023 s4:rpc_server/netlogon: add a lp_ctx
variable to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7baabbe9819cd5a2714e7ea4e57a0c23062c0150)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 834e691bf90e..16c0101d1ea0 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -636,8 +636,9 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
struct netr_Authenticator *return_authenticator,
struct netlogon_creds_CredentialState **creds_out)
{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
NTSTATUS nt_status;
- int schannel = lpcfg_server_schannel(dce_call->conn->dce_ctx->lp_ctx);
+ int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
@@ -653,7 +654,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
dcesrv_call_auth_info(dce_call, &auth_type, NULL);
nt_status = schannel_check_creds_state(mem_ctx,
- dce_call->conn->dce_ctx->lp_ctx,
+ lp_ctx,
computer_name,
received_authenticator,
return_authenticator,
@@ -668,7 +669,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
* need the explicit_opt pointer in order to
* adjust the debug messages.
*/
- explicit_opt = lpcfg_get_parametric(dce_call->conn->dce_ctx->lp_ctx,
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
NULL,
"server require schannel",
creds->account_name);
--
2.34.1

49
backport-0010-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,49 @@
From 903a2e1a15a1eceff4e261145535b313e439cb14 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 26 Oct 2022 14:29:54 +1300
Subject: [PATCH 10/54] CVE-2022-37966 tests/krb5: Add 'etypes' parameter to
_tgs_req()
This lets us select the encryption types we claim to support in the
request body.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit e0a91dddc4a6c70d7425c2c6836dcf2dd6d9a2de)
[jsutton@samba.org Adapted to 4.17 version of function taking different
parameters]
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/kdc_tgs_tests.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index f514e321fee1..cd023e5e32d9 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -70,6 +70,7 @@ class KdcTgsBaseTests(KDCBaseTest):
srealm=None,
use_fast=False,
expect_claims=True,
+ etypes=None,
expect_pac=True,
expect_pac_attrs=None,
expect_pac_attrs_pac_request=None,
@@ -135,7 +136,8 @@ class KdcTgsBaseTests(KDCBaseTest):
pac_options = None
- etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
+ if etypes is None:
+ etypes = (AES256_CTS_HMAC_SHA1_96, ARCFOUR_HMAC_MD5)
if expected_error:
check_error_fn = self.generic_check_kdc_error
--
2.34.1

113
backport-0010-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,113 @@
From 0ba8ec7deae74b5d945278614f0634d920e2c3c7 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 12 Dec 2022 14:03:50 +0100
Subject: [PATCH 10/30] CVE-2022-38023 s4:rpc_server/netlogon: add
talloc_stackframe() to dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0e6a2ba83ef1be3c6a0f5514c21395121621a145)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 32 +++++++++++--------
1 file changed, 19 insertions(+), 13 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 16c0101d1ea0..59386c4d5290 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -637,6 +637,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
struct netlogon_creds_CredentialState **creds_out)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ TALLOC_CTX *frame = talloc_stackframe();
NTSTATUS nt_status;
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
@@ -680,6 +681,7 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
if (schannel_required) {
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
*creds_out = creds;
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -687,13 +689,15 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
"%s request (opnum[%u]) without schannel from "
"client_account[%s] client_computer_name[%s]\n",
opname, opnum,
- log_escape(mem_ctx, creds->account_name),
- log_escape(mem_ctx, creds->computer_name));
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
- "'server require schannel:%s = no' is needed! \n",
- log_escape(mem_ctx, creds->account_name));
+ "'server require schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name));
TALLOC_FREE(creds);
ZERO_STRUCTP(return_authenticator);
+ TALLOC_FREE(frame);
return NT_STATUS_ACCESS_DENIED;
}
@@ -702,13 +706,14 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
"%s request (opnum[%u]) WITH schannel from "
"client_account[%s] client_computer_name[%s]\n",
opname, opnum,
- log_escape(mem_ctx, creds->account_name),
- log_escape(mem_ctx, creds->computer_name));
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"Option 'server require schannel:%s = no' not needed!?\n",
- log_escape(mem_ctx, creds->account_name));
+ log_escape(frame, creds->account_name));
*creds_out = creds;
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
@@ -718,24 +723,25 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
"%s request (opnum[%u]) without schannel from "
"client_account[%s] client_computer_name[%s]\n",
opname, opnum,
- log_escape(mem_ctx, creds->account_name),
- log_escape(mem_ctx, creds->computer_name));
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
DBG_INFO("CVE-2020-1472(ZeroLogon): "
"Option 'server require schannel:%s = no' still needed!\n",
- log_escape(mem_ctx, creds->account_name));
+ log_escape(frame, creds->account_name));
} else {
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) without schannel from "
"client_account[%s] client_computer_name[%s]\n",
opname, opnum,
- log_escape(mem_ctx, creds->account_name),
- log_escape(mem_ctx, creds->computer_name));
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
"'server require schannel:%s = no' might be needed!\n",
- log_escape(mem_ctx, creds->account_name));
+ log_escape(frame, creds->account_name));
}
*creds_out = creds;
+ TALLOC_FREE(frame);
return NT_STATUS_OK;
}
--
2.34.1

473
backport-0011-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,473 @@
From 1c9b4c5b8592e38a67ab46918ff414f73bb3d549 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 25 Oct 2022 19:32:27 +1300
Subject: [PATCH 11/54] CVE-2022-37966 tests/krb5: Add a test requesting
tickets with various encryption types
The KDC should leave the choice of ticket encryption type up to the
target service, and admit no influence from the client.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(similar to commit 177334c04230d0ad74bfc2b6825ffbebd5afb9af)
[jsutton@samba.org Fixed conflicts in usage.py, knownfails, tests.py]
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/etype_tests.py | 256 +++++++++++++++++++++++
python/samba/tests/krb5/kdc_tgs_tests.py | 106 ++++++++++
python/samba/tests/usage.py | 1 +
selftest/knownfail_heimdal_kdc | 5 +
selftest/knownfail_mit_kdc | 7 +
source4/selftest/tests.py | 4 +
6 files changed, 379 insertions(+)
create mode 100755 python/samba/tests/krb5/etype_tests.py
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
new file mode 100755
index 000000000000..37dab1eab8d4
--- /dev/null
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -0,0 +1,256 @@
+#!/usr/bin/env python3
+# Unix SMB/CIFS implementation.
+# Copyright (C) Stefan Metzmacher 2020
+# Copyright (C) 2022 Catalyst.Net Ltd
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program. If not, see <http://www.gnu.org/licenses/>.
+#
+
+import sys
+import os
+
+from samba.dcerpc import security
+
+from samba.tests.krb5.kdc_tgs_tests import KdcTgsBaseTests
+from samba.tests.krb5.rfc4120_constants import (
+ AES256_CTS_HMAC_SHA1_96,
+ ARCFOUR_HMAC_MD5,
+ KDC_ERR_ETYPE_NOSUPP,
+)
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+global_asn1_print = False
+global_hexdump = False
+
+
+class EtypeTests(KdcTgsBaseTests):
+ def setUp(self):
+ super().setUp()
+ self.do_asn1_print = global_asn1_print
+ self.do_hexdump = global_hexdump
+
+ # Perform an AS-REQ for a service ticket, specifying AES. The request
+ # should fail with an error.
+ def test_as_aes_requested(self):
+ creds = self.get_mach_creds()
+ target_creds = self.get_service_creds()
+
+ self._as_req(creds, expected_error=KDC_ERR_ETYPE_NOSUPP,
+ target_creds=target_creds,
+ etype=(AES256_CTS_HMAC_SHA1_96,))
+
+ # Perform an AS-REQ for a service ticket, specifying RC4. The resulting
+ # ticket should be encrypted with RC4, with an RC4 session key.
+ def test_as_rc4_requested(self):
+ creds = self.get_mach_creds()
+ target_creds = self.get_service_creds()
+
+ ticket = self._as_req(creds, expected_error=0,
+ target_creds=target_creds,
+ etype=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+ # Perform an AS-REQ for a service ticket, specifying AES, when the target
+ # service only supports AES. The resulting ticket should be encrypted with
+ # AES, with an AES session key.
+ def test_as_aes_supported_aes_requested(self):
+ creds = self.get_mach_creds()
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ })
+
+ ticket = self._as_req(creds, expected_error=0,
+ target_creds=target_creds,
+ etype=(AES256_CTS_HMAC_SHA1_96,))
+
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.decryption_key.etype)
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.session_key.etype)
+
+ # Perform an AS-REQ for a service ticket, specifying RC4, when the target
+ # service only supports AES. The resulting ticket should be encrypted with
+ # AES, with an RC4 session key.
+ def test_as_aes_supported_rc4_requested(self):
+ creds = self.get_mach_creds()
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ })
+
+ ticket = self._as_req(creds, expected_error=0,
+ target_creds=target_creds,
+ etype=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+ # Perform an AS-REQ for a service ticket, specifying AES, when the target
+ # service only supports RC4. The request should fail with an error.
+ def test_as_rc4_supported_aes_requested(self):
+ creds = self.get_mach_creds()
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_RC4_HMAC_MD5,
+ })
+
+ self._as_req(creds, expected_error=KDC_ERR_ETYPE_NOSUPP,
+ target_creds=target_creds,
+ etype=(AES256_CTS_HMAC_SHA1_96,))
+
+ # Perform an AS-REQ for a service ticket, specifying RC4, when the target
+ # service only supports RC4. The resulting ticket should be encrypted with
+ # RC4, with an RC4 session key.
+ def test_as_rc4_supported_rc4_requested(self):
+ creds = self.get_mach_creds()
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_RC4_HMAC_MD5,
+ })
+
+ ticket = self._as_req(creds, expected_error=0,
+ target_creds=target_creds,
+ etype=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+ # Perform a TGS-REQ for a service ticket, specifying AES. The request
+ # should fail with an error.
+ def test_tgs_aes_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_mach_creds()
+
+ self._tgs_req(tgt, expected_error=KDC_ERR_ETYPE_NOSUPP,
+ target_creds=target_creds,
+ etypes=(AES256_CTS_HMAC_SHA1_96,))
+
+ # Perform a TGS-REQ for a service ticket, specifying RC4. The resulting
+ # ticket should be encrypted with RC4, with an RC4 session key.
+ def test_tgs_rc4_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_mach_creds()
+
+ ticket = self._tgs_req(tgt, expected_error=0,
+ target_creds=target_creds,
+ etypes=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+ # Perform a TGS-REQ for a service ticket, specifying AES, when the target
+ # service only supports AES. The resulting ticket should be encrypted with
+ # AES, with an AES session key.
+ def test_tgs_aes_supported_aes_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ })
+
+ ticket = self._tgs_req(tgt, expected_error=0,
+ target_creds=target_creds,
+ etypes=(AES256_CTS_HMAC_SHA1_96,))
+
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.decryption_key.etype)
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.session_key.etype)
+
+ # Perform a TGS-REQ for a service ticket, specifying RC4, when the target
+ # service only supports AES. The resulting ticket should be encrypted with
+ # AES, with an RC4 session key.
+ def test_tgs_aes_supported_rc4_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96,
+ })
+
+ ticket = self._tgs_req(tgt, expected_error=0,
+ target_creds=target_creds,
+ etypes=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(AES256_CTS_HMAC_SHA1_96, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+ # Perform a TGS-REQ for a service ticket, specifying AES, when the target
+ # service only supports RC4. The request should fail with an error.
+ def test_tgs_rc4_supported_aes_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_RC4_HMAC_MD5,
+ })
+
+ self._tgs_req(tgt, expected_error=KDC_ERR_ETYPE_NOSUPP,
+ target_creds=target_creds,
+ etypes=(AES256_CTS_HMAC_SHA1_96,))
+
+ # Perform a TGS-REQ for a service ticket, specifying RC4, when the target
+ # service only supports RC4. The resulting ticket should be encrypted with
+ # RC4, with an RC4 session key.
+ def test_tgs_rc4_supported_rc4_requested(self):
+ creds = self.get_mach_creds()
+ tgt = self.get_tgt(creds)
+
+ target_creds = self.get_cached_creds(
+ account_type=self.AccountType.COMPUTER,
+ opts={
+ 'supported_enctypes':
+ security.KERB_ENCTYPE_RC4_HMAC_MD5,
+ })
+
+ ticket = self._tgs_req(tgt, expected_error=0,
+ target_creds=target_creds,
+ etypes=(ARCFOUR_HMAC_MD5,))
+
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.decryption_key.etype)
+ self.assertEqual(ARCFOUR_HMAC_MD5, ticket.session_key.etype)
+
+
+if __name__ == "__main__":
+ global_asn1_print = False
+ global_hexdump = False
+ import unittest
+ unittest.main()
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index cd023e5e32d9..3643644cf0a0 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -43,6 +43,7 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_MODIFIED,
KDC_ERR_NOT_US,
KDC_ERR_POLICY,
+ KDC_ERR_PREAUTH_REQUIRED,
KDC_ERR_C_PRINCIPAL_UNKNOWN,
KDC_ERR_S_PRINCIPAL_UNKNOWN,
KDC_ERR_TGT_REVOKED,
@@ -59,6 +60,111 @@ global_hexdump = False
class KdcTgsBaseTests(KDCBaseTest):
+ def _as_req(self,
+ creds,
+ expected_error,
+ target_creds,
+ etype):
+ user_name = creds.get_username()
+ cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=user_name.split('/'))
+
+ target_name = target_creds.get_username()
+ sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=['host', target_name[:-1]])
+
+ if expected_error:
+ expected_sname = sname
+ else:
+ expected_sname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
+ names=[target_name])
+
+ realm = creds.get_realm()
+ salt = creds.get_salt()
+
+ till = self.get_KerberosTime(offset=36000)
+
+ ticket_decryption_key = (
+ self.TicketDecryptionKey_from_creds(target_creds))
+ expected_etypes = target_creds.tgs_supported_enctypes
+
+ kdc_options = ('forwardable,'
+ 'renewable,'
+ 'canonicalize,'
+ 'renewable-ok')
+ kdc_options = krb5_asn1.KDCOptions(kdc_options)
+
+ if expected_error:
+ initial_error = (KDC_ERR_PREAUTH_REQUIRED, expected_error)
+ else:
+ initial_error = KDC_ERR_PREAUTH_REQUIRED
+
+ rep, kdc_exchange_dict = self._test_as_exchange(
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ till=till,
+ client_as_etypes=etype,
+ expected_error_mode=initial_error,
+ expected_crealm=realm,
+ expected_cname=cname,
+ expected_srealm=realm,
+ expected_sname=sname,
+ expected_salt=salt,
+ expected_supported_etypes=expected_etypes,
+ etypes=etype,
+ padata=None,
+ kdc_options=kdc_options,
+ preauth_key=None,
+ ticket_decryption_key=ticket_decryption_key)
+ self.assertIsNotNone(rep)
+ self.assertEqual(KRB_ERROR, rep['msg-type'])
+ error_code = rep['error-code']
+ if expected_error:
+ self.assertIn(error_code, initial_error)
+ if error_code == expected_error:
+ return
+ else:
+ self.assertEqual(initial_error, error_code)
+
+ etype_info2 = kdc_exchange_dict['preauth_etype_info2']
+
+ preauth_key = self.PasswordKey_from_etype_info2(creds,
+ etype_info2[0],
+ creds.get_kvno())
+
+ ts_enc_padata = self.get_enc_timestamp_pa_data_from_key(preauth_key)
+
+ padata = [ts_enc_padata]
+
+ expected_realm = realm.upper()
+
+ rep, kdc_exchange_dict = self._test_as_exchange(
+ cname=cname,
+ realm=realm,
+ sname=sname,
+ till=till,
+ client_as_etypes=etype,
+ expected_error_mode=expected_error,
+ expected_crealm=expected_realm,
+ expected_cname=cname,
+ expected_srealm=expected_realm,
+ expected_sname=expected_sname,
+ expected_salt=salt,
+ expected_supported_etypes=expected_etypes,
+ etypes=etype,
+ padata=padata,
+ kdc_options=kdc_options,
+ preauth_key=preauth_key,
+ ticket_decryption_key=ticket_decryption_key,
+ expect_edata=False)
+ if expected_error:
+ self.check_error_rep(rep, expected_error)
+ return None
+
+ self.check_as_reply(rep)
+ return kdc_exchange_dict['rep_ticket_creds']
+
def _tgs_req(self, tgt, expected_error, target_creds,
armor_tgt=None,
kdc_options='0',
diff --git a/python/samba/tests/usage.py b/python/samba/tests/usage.py
index e6845b52e1b1..0286be15ec33 100644
--- a/python/samba/tests/usage.py
+++ b/python/samba/tests/usage.py
@@ -114,6 +114,7 @@ EXCLUDE_USAGE = {
'python/samba/tests/krb5/nt_hash_tests.py',
'python/samba/tests/krb5/kpasswd_tests.py',
'python/samba/tests/krb5/lockout_tests.py',
+ 'python/samba/tests/krb5/etype_tests.py',
}
EXCLUDE_HELP = {
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 4ae27eacb091..4abacafe03a0 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -54,3 +54,8 @@
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
#
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
+#
+# Encryption type tests
+#
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_requested.ad_dc
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 9b6baa4bd712..5407cf3b3ce1 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -449,3 +449,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_lockout_transaction_rename_kdc.ad_dc:local
^samba.tests.krb5.lockout_tests.samba.tests.krb5.lockout_tests.LockoutTests.test_logon_kdc.ad_dc:local
+#
+# Encryption type tests
+#
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_aes_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_supported_rc4_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_requested.ad_dc
+^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_rc4_requested.ad_dc
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index 9e01fd66fc1f..b43c42f8363e 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1750,6 +1750,10 @@ planoldpythontestsuite(
'ad_dc:local',
'samba.tests.krb5.lockout_tests',
environ=krb5_environ)
+planoldpythontestsuite(
+ 'ad_dc',
+ 'samba.tests.krb5.etype_tests',
+ environ=krb5_environ)
for env in [
'vampire_dc',
--
2.34.1

84
backport-0011-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,84 @@
From 8dcb681f7da0ab4505b8688e924aecc4f92432f0 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:37:03 +0100
Subject: [PATCH 11/30] CVE-2022-38023 s4:rpc_server/netlogon: re-order
checking in dcesrv_netr_creds_server_step_check()
This will simplify the following changes.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit ec62151a2fb49ecbeaa3bf924f49a956832b735e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 41 +++++++++----------
1 file changed, 19 insertions(+), 22 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 59386c4d5290..e33e0819242f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -678,13 +678,27 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
schannel_required = lp_bool(explicit_opt);
}
- if (schannel_required) {
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- *creds_out = creds;
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (!schannel_required) {
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) WITH schannel from "
+ "client_account[%s] client_computer_name[%s]\n",
+ opname, opnum,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ }
+ if (explicit_opt != NULL && !schannel_required) {
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not needed!?\n",
+ log_escape(frame, creds->account_name));
}
+ *creds_out = creds;
+ TALLOC_FREE(frame);
+ return NT_STATUS_OK;
+ }
+
+ if (schannel_required) {
DBG_ERR("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) without schannel from "
"client_account[%s] client_computer_name[%s]\n",
@@ -701,23 +715,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
return NT_STATUS_ACCESS_DENIED;
}
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) WITH schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "Option 'server require schannel:%s = no' not needed!?\n",
- log_escape(frame, creds->account_name));
-
- *creds_out = creds;
- TALLOC_FREE(frame);
- return NT_STATUS_OK;
- }
-
-
if (explicit_opt != NULL) {
DBG_INFO("CVE-2020-1472(ZeroLogon): "
"%s request (opnum[%u]) without schannel from "
--
2.34.1

54
backport-0012-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,54 @@
From 3f55dbf520b77338bea1ef7ba8e4af70768a1f7d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 1 Nov 2022 14:47:12 +1300
Subject: [PATCH 12/54] CVE-2022-37966 HEIMDAL: Look up the server keys to
combine with clients etype list to select a session key
We need to select server, not client, to compare client etypes against.
(It is not useful to compare the client-supplied encryption types with
the client's own long-term keys.)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(similar to commit 538315a2aa6d03b7639b49eb1576efa8755fefec)
[jsutton@samba.org Fixed knownfail conflicts]
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
selftest/knownfail_heimdal_kdc | 5 -----
third_party/heimdal/kdc/kerberos5.c | 2 +-
2 files changed, 1 insertion(+), 6 deletions(-)
diff --git a/selftest/knownfail_heimdal_kdc b/selftest/knownfail_heimdal_kdc
index 4abacafe03a0..4ae27eacb091 100644
--- a/selftest/knownfail_heimdal_kdc
+++ b/selftest/knownfail_heimdal_kdc
@@ -54,8 +54,3 @@
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected.ad_dc
#
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
-#
-# Encryption type tests
-#
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_aes_requested.ad_dc
-^samba.tests.krb5.etype_tests.samba.tests.krb5.etype_tests.EtypeTests.test_as_rc4_supported_aes_requested.ad_dc
diff --git a/third_party/heimdal/kdc/kerberos5.c b/third_party/heimdal/kdc/kerberos5.c
index 0a7934310cca..3e0f2dbd6b63 100644
--- a/third_party/heimdal/kdc/kerberos5.c
+++ b/third_party/heimdal/kdc/kerberos5.c
@@ -2212,7 +2212,7 @@ _kdc_as_rep(astgs_request_t r)
* intersection of the client's requested enctypes and the server's (like a
* root krbtgt, but not necessarily) etypes from its HDB entry.
*/
- ret = _kdc_find_etype(r, (is_tgs ? KFE_IS_TGS:0) | KFE_USE_CLIENT,
+ ret = _kdc_find_etype(r, (is_tgs ? KFE_IS_TGS:0),
b->etype.val, b->etype.len,
&r->sessionetype, NULL, NULL);
if (ret) {
--
2.34.1

216
backport-0012-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,216 @@
From 5589c6eb66ca856e60b19553ff731c726072e796 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:37:03 +0100
Subject: [PATCH 12/30] CVE-2022-38023 s4:rpc_server/netlogon: improve
CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 16ee03efc194d9c1c2c746f63236b977a419918d)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 147 +++++++++++++-----
1 file changed, 106 insertions(+), 41 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index e33e0819242f..ce01400ec88b 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -644,15 +644,34 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
struct netlogon_creds_CredentialState *creds = NULL;
+ int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ unsigned int dbg_lvl = DBGLVL_DEBUG;
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
uint16_t opnum = dce_call->pkt.u.request.opnum;
const char *opname = "<unknown>";
+ const char *reason = "<unknown>";
if (opnum < ndr_table_netlogon.num_calls) {
opname = ndr_table_netlogon.calls[opnum].name;
}
- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
+
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ reason = "WITH SEALED";
+ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ reason = "WITH SIGNED";
+ } else {
+ smb_panic("Schannel without SIGN/SEAL");
+ }
+ } else {
+ reason = "WITHOUT";
+ }
nt_status = schannel_check_creds_state(mem_ctx,
lp_ctx,
@@ -679,62 +698,108 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
}
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (!schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) WITH schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
+ nt_status = NT_STATUS_OK;
+
+ if (explicit_opt != NULL && !schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
}
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(nt_status)));
+
if (explicit_opt != NULL && !schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "Option 'server require schannel:%s = no' not needed!?\n",
- log_escape(frame, creds->account_name));
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
}
*creds_out = creds;
TALLOC_FREE(frame);
- return NT_STATUS_OK;
+ return nt_status;
}
if (schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
- "'server require schannel:%s = no' "
- "might be needed for a legacy client.\n",
- log_escape(frame, creds->account_name));
+ nt_status = NT_STATUS_ACCESS_DENIED;
+
+ if (explicit_opt != NULL) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+ } else {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(nt_status)));
+ if (explicit_opt != NULL) {
+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = yes' "
+ "rejects access for client.\n",
+ log_escape(frame, creds->account_name));
+ } else {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2020-1472(ZeroLogon): Check if option "
+ "'server require schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
TALLOC_FREE(creds);
ZERO_STRUCTP(return_authenticator);
TALLOC_FREE(frame);
- return NT_STATUS_ACCESS_DENIED;
+ return nt_status;
}
+ nt_status = NT_STATUS_OK;
+
if (explicit_opt != NULL) {
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
- "Option 'server require schannel:%s = no' still needed!\n",
- log_escape(frame, creds->account_name));
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
} else {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
- "'server require schannel:%s = no' might be needed!\n",
- log_escape(frame, creds->account_name));
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(nt_status)));
+
+ if (explicit_opt != NULL) {
+ D_INFO("CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = no' "
+ "still needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ } else {
+ /*
+ * admins should set
+ * server require schannel:COMPUTER$ = no
+ * in order to avoid the level 0 messages.
+ * Over time they can switch the global value
+ * to be strict.
+ */
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Please use 'server require schannel:%s = no' "
+ "for '%s' to avoid this warning!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
}
*creds_out = creds;
--
2.34.1

1151
backport-0013-CVE-2022-37966.patch Normal file
View File

File diff suppressed because it is too large Load Diff

93
backport-0013-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,93 @@
From 94f64296ad7de354af25b81b98f7d4153cabca43 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 12:26:01 +0100
Subject: [PATCH 13/30] CVE-2022-38023 selftest:Samba4: avoid global 'server
schannel = auto'
Instead of using the generic deprecated option use the specific
server require schannel:COMPUTERACCOUNT = no in order to allow
legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 63c96ea6c02981795e67336401143f2a8836992c)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
selftest/target/Samba4.pm | 40 ++++++++++++++++++++++++++++++++++++---
1 file changed, 37 insertions(+), 3 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index dcf00e85e9c7..191aa3b749ee 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1617,10 +1617,27 @@ sub provision_ad_dc_ntvfs($$$)
dsdb event notification = true
dsdb password event notification = true
dsdb group change notification = true
- server schannel = auto
# override the new SMB2 only default
client min protocol = CORE
server min protocol = LANMAN1
+
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+
+ # needed for 'samba.tests.auth_log' tests
+ server require schannel:LOCALDC\$ = no
";
push (@{$extra_provision_options}, "--use-ntvfs");
my $ret = $self->provision($prefix,
@@ -1969,8 +1986,22 @@ sub provision_ad_dc($$$$$$$)
lpq cache time = 0
print notify backchannel = yes
- server schannel = auto
- auth event notification = true
+ CVE_2020_1472:warn_about_unused_debug_level = 3
+ server require schannel:schannel0\$ = no
+ server require schannel:schannel1\$ = no
+ server require schannel:schannel2\$ = no
+ server require schannel:schannel3\$ = no
+ server require schannel:schannel4\$ = no
+ server require schannel:schannel5\$ = no
+ server require schannel:schannel6\$ = no
+ server require schannel:schannel7\$ = no
+ server require schannel:schannel8\$ = no
+ server require schannel:schannel9\$ = no
+ server require schannel:schannel10\$ = no
+ server require schannel:schannel11\$ = no
+ server require schannel:torturetest\$ = no
+
+ auth event notification = true
dsdb event notification = true
dsdb password event notification = true
dsdb group change notification = true
@@ -2659,6 +2690,9 @@ sub setup_ad_dc_smb1
[global]
client min protocol = CORE
server min protocol = LANMAN1
+
+ # needed for 'samba.tests.auth_log' tests
+ server require schannel:ADDCSMB1\$ = no
";
return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
}
--
2.34.1

209
backport-0014-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,209 @@
From 96333365e1720e4eebcc643f4d65afa68f2c1baa Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 15 Nov 2022 18:14:36 +1300
Subject: [PATCH 14/54] CVE-2022-37966 param: Add support for new option "kdc
default domain supportedenctypes"
This matches the Windows registry key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Pair-Programmed-With: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit d861d4eb28bd4c091955c11669edcf867b093a6f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../kdcdefaultdomainsupportedenctypes.xml | 42 ++++++++++
lib/param/loadparm.c | 79 +++++++++++++++++++
librpc/idl/security.idl | 1 +
source3/param/loadparm.c | 3 +
4 files changed, 125 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
new file mode 100644
index 000000000000..e93650ac3e07
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -0,0 +1,42 @@
+<samba:parameter name="kdc default domain supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_default_domain_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ Set the default value of <constant>msDS-SupportedEncryptionTypes</constant> for service accounts in Active Directory that are missing this value or where <constant>msDS-SupportedEncryptionTypes</constant> is set to 0.
+ </para>
+
+ <para>
+ This allows Samba administrators to match the configuration flexibility provided by the
+ <constant>HKEY_LOCAL_MACHINE\System\CurrentControlSet\services\KDC\DefaultDomainSupportedEncTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed in hexadecimal or as a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96-sk</constant>, <constant>aes256-cts-sk</constant>, <constant>0x20</constant>, or <constant>32</constant></para>
+ <para>Allow AES session keys. When this is set, it indicates to the KDC that AES session keys can be used, even when <constant>aes256-cts</constant> and <constant>aes128-cts</constant> are not set. This allows use of AES keys against hosts otherwise only configured with RC4 for ticket keys (which is the default).</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1dcc8061fa21..1cb25f843b3b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -70,6 +70,7 @@
#include "tdb.h"
#include "librpc/gen_ndr/nbt.h"
#include "librpc/gen_ndr/dns.h"
+#include "librpc/gen_ndr/security.h"
#include "libds/common/roles.h"
#include "lib/util/samba_util.h"
#include "libcli/auth/ntlm_check.h"
@@ -1704,6 +1705,80 @@ out:
return value_is_valid;
}
+bool handle_kdc_default_domain_supported_enctypes(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+{
+ char **enctype_list = NULL;
+ char **enctype = NULL;
+ uint32_t result = 0;
+ bool ok = true;
+
+ enctype_list = str_list_make(NULL, pszParmValue, NULL);
+ if (enctype_list == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ pszParmValue);
+ ok = false;
+ goto out;
+ }
+
+ for (enctype = enctype_list; *enctype != NULL; ++enctype) {
+ if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 ||
+ strwicmp(*enctype, "rc4-hmac") == 0)
+ {
+ result |= KERB_ENCTYPE_RC4_HMAC_MD5;
+ }
+ else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes128-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes256-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96-sk") == 0 ||
+ strwicmp(*enctype, "aes256-cts-sk") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+ }
+ else {
+ const char *bitstr = *enctype;
+ int base;
+ int error;
+ unsigned long bit;
+
+ /* See if the bit's specified in hexadecimal. */
+ if (bitstr[0] == '0' &&
+ (bitstr[1] == 'x' || bitstr[2] == 'X'))
+ {
+ base = 16;
+ bitstr += 2;
+ }
+ else {
+ base = 10;
+ }
+
+ bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV);
+ if (error) {
+ DBG_ERR("WARNING: Ignoring invalid value '%s' "
+ "for parameter 'kdc default domain supported enctypes'\n",
+ *enctype);
+ ok = false;
+ } else {
+ result |= bit;
+ }
+ }
+ }
+
+ *(int *)ptr = result;
+out:
+ TALLOC_FREE(enctype_list);
+
+ return ok;
+}
+
static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
int parmnum, void *parm_ptr,
const char *pszParmName, const char *pszParmValue,
@@ -3012,6 +3087,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"rpc start on demand helpers",
"yes");
+ lpcfg_do_global_parameter(lp_ctx,
+ "kdc default domain supported enctypes",
+ "rc4-hmac aes256-cts-hmac-sha1-96-sk");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/librpc/idl/security.idl b/librpc/idl/security.idl
index d05e3c3e1b7a..8cfdbf569962 100644
--- a/librpc/idl/security.idl
+++ b/librpc/idl/security.idl
@@ -725,6 +725,7 @@ interface security
KERB_ENCTYPE_RC4_HMAC_MD5 = 0x00000004,
KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 = 0x00000008,
KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 = 0x00000010,
+ KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK = 0x00000020,
KERB_ENCTYPE_FAST_SUPPORTED = 0x00010000,
KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED = 0x00020000,
KERB_ENCTYPE_CLAIMS_SUPPORTED = 0x00040000,
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 7e20acbf8b96..fb15b20e1876 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -995,6 +995,9 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
*/
Globals.rpc_start_on_demand_helpers = true;
+ Globals.kdc_default_domain_supported_enctypes =
+ KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
--
2.34.1

210
backport-0014-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,210 @@
From 14efe15daa8600ba9be658ce98cb0d30a6e35a2c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 28 Nov 2022 15:02:13 +0100
Subject: [PATCH 14/30] CVE-2022-38023 s4:torture: use
NETLOGON_NEG_SUPPORTS_AES by default
For generic tests we should use the best available features.
And AES will be required by default soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit cfd55a22cda113fbb2bfa373b54091dde1ea6e66)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/torture/ntp/ntp_signd.c | 2 +-
source4/torture/rpc/lsa.c | 4 ++--
source4/torture/rpc/netlogon.c | 24 ++++++++++++------------
source4/torture/rpc/samba3rpc.c | 15 ++++++++++++---
4 files changed, 27 insertions(+), 18 deletions(-)
diff --git a/source4/torture/ntp/ntp_signd.c b/source4/torture/ntp/ntp_signd.c
index 124c9604871b..6d482bfdee16 100644
--- a/source4/torture/ntp/ntp_signd.c
+++ b/source4/torture/ntp/ntp_signd.c
@@ -70,7 +70,7 @@ static bool test_ntp_signd(struct torture_context *tctx,
uint32_t rid;
const char *machine_name;
const struct samr_Password *pwhash = cli_credentials_get_nt_hash(credentials, mem_ctx);
- uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
struct sign_request sign_req;
struct signed_reply signed_reply;
diff --git a/source4/torture/rpc/lsa.c b/source4/torture/rpc/lsa.c
index d430ee571081..d22546862d5b 100644
--- a/source4/torture/rpc/lsa.c
+++ b/source4/torture/rpc/lsa.c
@@ -4408,7 +4408,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
ok = check_pw_with_ServerAuthenticate3(p1, tctx,
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
server_name,
incoming_creds, &creds);
torture_assert_int_equal(tctx, ok, expected_result,
@@ -4505,7 +4505,7 @@ static bool check_dom_trust_pw(struct dcerpc_pipe *p,
torture_assert_ntstatus_ok(tctx, status, "dcerpc_pipe_connect_b");
ok = check_pw_with_ServerAuthenticate3(p2, tctx,
- NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
server_name,
incoming_creds, &creds);
torture_assert(tctx, ok, "check_pw_with_ServerAuthenticate3 with changed password");
diff --git a/source4/torture/rpc/netlogon.c b/source4/torture/rpc/netlogon.c
index 59d7feb43f1d..1f068eb78265 100644
--- a/source4/torture/rpc/netlogon.c
+++ b/source4/torture/rpc/netlogon.c
@@ -191,7 +191,7 @@ bool test_SetupCredentials(struct dcerpc_pipe *p, struct torture_context *tctx,
/* This allows the tests to continue against the more fussy windows 2008 */
if (NT_STATUS_EQUAL(a.out.result, NT_STATUS_DOWNGRADE_DETECTED)) {
- return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ return test_SetupCredentials2(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
credentials,
cli_credentials_get_secure_channel_type(credentials),
creds_out);
@@ -431,7 +431,7 @@ bool test_SetupCredentialsDowngrade(struct torture_context *tctx,
"ServerAuthenticate3 failed");
torture_assert_ntstatus_equal(tctx, a.out.result, NT_STATUS_DOWNGRADE_DETECTED, "ServerAuthenticate3 should have failed");
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
creds = netlogon_creds_client_init(tctx, a.in.account_name,
a.in.computer_name,
a.in.secure_channel_type,
@@ -498,7 +498,7 @@ static bool test_ServerReqChallenge(
const char *machine_name;
struct dcerpc_binding_handle *b = p->binding_handle;
struct netr_ServerAuthenticate2 a;
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
uint32_t out_negotiate_flags = 0;
const struct samr_Password *mach_password = NULL;
enum netr_SchannelType sec_chan_type = 0;
@@ -570,7 +570,7 @@ static bool test_ServerReqChallenge_zero_challenge(
const char *machine_name;
struct dcerpc_binding_handle *b = p->binding_handle;
struct netr_ServerAuthenticate2 a;
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
uint32_t out_negotiate_flags = 0;
const struct samr_Password *mach_password = NULL;
enum netr_SchannelType sec_chan_type = 0;
@@ -647,7 +647,7 @@ static bool test_ServerReqChallenge_5_repeats(
const char *machine_name;
struct dcerpc_binding_handle *b = p->binding_handle;
struct netr_ServerAuthenticate2 a;
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
uint32_t out_negotiate_flags = 0;
const struct samr_Password *mach_password = NULL;
enum netr_SchannelType sec_chan_type = 0;
@@ -731,7 +731,7 @@ static bool test_ServerReqChallenge_4_repeats(
const char *machine_name;
struct dcerpc_binding_handle *b = p->binding_handle;
struct netr_ServerAuthenticate2 a;
- uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t in_negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
uint32_t out_negotiate_flags = 0;
const struct samr_Password *mach_password = NULL;
enum netr_SchannelType sec_chan_type = 0;
@@ -1527,7 +1527,7 @@ static bool test_SetPassword2_all_zeros(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
if (!test_SetupCredentials2(
p1,
@@ -1603,7 +1603,7 @@ static bool test_SetPassword2_maximum_length_password(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
DATA_BLOB new_random_pass = data_blob_null;
if (!test_SetupCredentials2(
@@ -1686,7 +1686,7 @@ static bool test_SetPassword2_all_zero_password(
struct netr_CryptPassword new_password;
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
- uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ uint32_t flags = NETLOGON_NEG_AUTH2_ADS_FLAGS; /* no AES desired here */
if (!test_SetupCredentials2(
p1,
@@ -4046,7 +4046,7 @@ static bool test_netr_GetForestTrustInformation(struct torture_context *tctx,
struct dcerpc_pipe *p = NULL;
struct dcerpc_binding_handle *b = NULL;
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
machine_credentials, &creds)) {
return false;
}
@@ -4985,7 +4985,7 @@ static bool test_GetDomainInfo(struct torture_context *tctx,
torture_comment(tctx, "Testing netr_LogonGetDomainInfo\n");
- if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ if (!test_SetupCredentials3(p1, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
machine_credentials, &creds)) {
return false;
}
@@ -5562,7 +5562,7 @@ static bool test_GetDomainInfo_async(struct torture_context *tctx,
torture_comment(tctx, "Testing netr_LogonGetDomainInfo - async count %d\n", ASYNC_COUNT);
- if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS,
+ if (!test_SetupCredentials3(p, tctx, NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES,
machine_credentials, &creds)) {
return false;
}
diff --git a/source4/torture/rpc/samba3rpc.c b/source4/torture/rpc/samba3rpc.c
index 39e43e5fcdbe..36eabdc488d9 100644
--- a/source4/torture/rpc/samba3rpc.c
+++ b/source4/torture/rpc/samba3rpc.c
@@ -1071,7 +1071,7 @@ static bool auth2(struct torture_context *tctx,
goto done;
}
- negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS;
+ negotiate_flags = NETLOGON_NEG_AUTH2_ADS_FLAGS | NETLOGON_NEG_SUPPORTS_AES;
E_md4hash(cli_credentials_get_password(wks_cred), mach_pw.hash);
a.in.server_name = talloc_asprintf(
@@ -1260,10 +1260,19 @@ static bool schan(struct torture_context *tctx,
E_md4hash(cli_credentials_get_password(user_creds),
pinfo.ntpassword.hash);
- netlogon_creds_arcfour_crypt(creds_state, pinfo.ntpassword.hash, 16);
-
logon.password = &pinfo;
+ /*
+ * We don't use this here:
+ *
+ * netlogon_creds_encrypt_samlogon_logon(creds_state,
+ * NetlogonInteractiveInformation,
+ * &logon);
+ *
+ * in order to detect bugs
+ */
+ netlogon_creds_aes_encrypt(creds_state, pinfo.ntpassword.hash, 16);
+
r.in.logon_level = NetlogonInteractiveInformation;
r.in.logon = &logon;
r.out.return_authenticator = &return_authenticator;
--
2.34.1

83
backport-0015-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,83 @@
From 91ed623daf97524aeef8dc3c35808634456c4526 Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Fri, 18 Nov 2022 13:44:28 +1300
Subject: [PATCH 15/54] CVE-2022-37966 param: Add support for new option "kdc
force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz>
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
(cherry picked from commit ee18bc29b8ef6a3f09070507cc585467e55a1628)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../kdcforceenablerc4weaksessionkeys.xml | 24 +++++++++++++++++++
lib/param/loadparm.c | 4 ++++
source3/param/loadparm.c | 1 +
3 files changed, 29 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
diff --git a/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
new file mode 100644
index 000000000000..1cb46d74a369
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcforceenablerc4weaksessionkeys.xml
@@ -0,0 +1,24 @@
+<samba:parameter name="kdc force enable rc4 weak session keys"
+ type="boolean"
+ context="G"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ <constant>RFC8429</constant> declares that
+ <constant>rc4-hmac</constant> Kerberos ciphers are weak and
+ there are known attacks on Active Directory use of this
+ cipher suite.
+ </para>
+ <para>
+ However for compatibility with Microsoft Windows this option
+ allows the KDC to assume that regardless of the value set in
+ a service account's
+ <constant>msDS-SupportedEncryptionTypes</constant> attribute
+ that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
+ found in a service keytab) can be used if the potentially
+ older client requests it.
+ </para>
+</description>
+
+<value type="default">no</value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1cb25f843b3b..a858c31dbba4 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3091,6 +3091,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"kdc default domain supported enctypes",
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
+ lpcfg_do_global_parameter(lp_ctx,
+ "kdc force enable rc4 weak session keys",
+ "no");
+
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index fb15b20e1876..dc1a830cdbe1 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -997,6 +997,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.kdc_default_domain_supported_enctypes =
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
+ Globals.kdc_force_enable_rc4_weak_session_keys = false;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
--
2.34.1

167
backport-0015-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,167 @@
From b7bd51a393988883936048a0fd9d790d0e03481f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 09:54:17 +0100
Subject: [PATCH 15/30] CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_ServerAuthenticate3_check_downgrade()
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need the downgrade detection in more places.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b6339fd1dcbe903e73efeea074ab0bd04ef83561)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 114 ++++++++++--------
1 file changed, 67 insertions(+), 47 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ce01400ec88b..82e3df055e7f 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -125,6 +125,67 @@ static NTSTATUS dcesrv_netr_ServerReqChallenge(struct dcesrv_call_state *dce_cal
return NT_STATUS_OK;
}
+static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ struct dcesrv_call_state *dce_call,
+ struct netr_ServerAuthenticate3 *r,
+ struct netlogon_server_pipe_state *pipe_state,
+ uint32_t negotiate_flags,
+ NTSTATUS orig_status)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+ bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
+ bool reject_des_client = !allow_nt4_crypto;
+ bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+
+ if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+ reject_des_client = false;
+ }
+
+ if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ reject_des_client = false;
+ reject_md5_client = false;
+ }
+
+ if (reject_des_client || reject_md5_client) {
+ /*
+ * Here we match Windows 2012 and return no flags.
+ */
+ *r->out.negotiate_flags = 0;
+ return NT_STATUS_DOWNGRADE_DETECTED;
+ }
+
+ /*
+ * This talloc_free is important to prevent re-use of the
+ * challenge. We have to delay it this far due to NETApp
+ * servers per:
+ * https://bugzilla.samba.org/show_bug.cgi?id=11291
+ */
+ TALLOC_FREE(pipe_state);
+
+ /*
+ * At this point we must also cleanup the TDB cache
+ * entry, if we fail the client needs to call
+ * netr_ServerReqChallenge again.
+ *
+ * Note: this handles a non existing record just fine,
+ * the r->in.computer_name might not be the one used
+ * in netr_ServerReqChallenge(), but we are trying to
+ * just tidy up the normal case to prevent re-use.
+ */
+ schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
+ r->in.computer_name);
+
+ /*
+ * According to Microsoft (see bugid #6099)
+ * Windows 7 looks at the negotiate_flags
+ * returned in this structure *even if the
+ * call fails with access denied!
+ */
+ *r->out.negotiate_flags = negotiate_flags;
+
+ return orig_status;
+}
+
/*
* Do the actual processing of a netr_ServerAuthenticate3 message.
* called from dcesrv_netr_ServerAuthenticate3, which handles the logging.
@@ -152,11 +213,9 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
"objectSid", "samAccountName", NULL};
uint32_t server_flags = 0;
uint32_t negotiate_flags = 0;
- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(dce_call->conn->dce_ctx->lp_ctx);
- bool reject_des_client = !allow_nt4_crypto;
- bool reject_md5_client = lpcfg_reject_md5_clients(dce_call->conn->dce_ctx->lp_ctx);
ZERO_STRUCTP(r->out.return_credentials);
+ *r->out.negotiate_flags = 0;
*r->out.rid = 0;
pipe_state = dcesrv_iface_state_find_conn(dce_call,
@@ -243,52 +302,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
negotiate_flags = *r->in.negotiate_flags & server_flags;
- if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
- reject_des_client = false;
- }
-
- if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
- reject_des_client = false;
- reject_md5_client = false;
- }
-
- if (reject_des_client || reject_md5_client) {
- /*
- * Here we match Windows 2012 and return no flags.
- */
- *r->out.negotiate_flags = 0;
- return NT_STATUS_DOWNGRADE_DETECTED;
+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_OK);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
}
- /*
- * This talloc_free is important to prevent re-use of the
- * challenge. We have to delay it this far due to NETApp
- * servers per:
- * https://bugzilla.samba.org/show_bug.cgi?id=11291
- */
- TALLOC_FREE(pipe_state);
-
- /*
- * At this point we must also cleanup the TDB cache
- * entry, if we fail the client needs to call
- * netr_ServerReqChallenge again.
- *
- * Note: this handles a non existing record just fine,
- * the r->in.computer_name might not be the one used
- * in netr_ServerReqChallenge(), but we are trying to
- * just tidy up the normal case to prevent re-use.
- */
- schannel_delete_challenge(dce_call->conn->dce_ctx->lp_ctx,
- r->in.computer_name);
-
- /*
- * According to Microsoft (see bugid #6099)
- * Windows 7 looks at the negotiate_flags
- * returned in this structure *even if the
- * call fails with access denied!
- */
- *r->out.negotiate_flags = negotiate_flags;
-
switch (r->in.secure_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_DNS_DOMAIN:
--
2.34.1

34
backport-0016-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,34 @@
From 771807b9693866096e7a8bcf0b0659bb35528177 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 14:01:47 +1300
Subject: [PATCH 16/54] CVE-2022-37966 third_party/heimdal: Fix error message
typo
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d6b3d68efc296190a133b4e38137bdfde39257f4)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
third_party/heimdal/lib/krb5/init_creds_pw.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/third_party/heimdal/lib/krb5/init_creds_pw.c b/third_party/heimdal/lib/krb5/init_creds_pw.c
index 4173837779b0..9257886530ac 100644
--- a/third_party/heimdal/lib/krb5/init_creds_pw.c
+++ b/third_party/heimdal/lib/krb5/init_creds_pw.c
@@ -3214,7 +3214,7 @@ init_creds_step(krb5_context context,
if (available_padata_count(&ctx->md) == 0) {
krb5_set_error_message(context, ret,
N_("Preauth required but no preauth "
- "options send by KDC", ""));
+ "options sent by KDC", ""));
goto out;
}
} else if (ret == KRB5KRB_AP_ERR_SKEW && context->kdc_sec_offset == 0) {
--
2.34.1

55
backport-0016-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,55 @@
From 548325d1e837123e7e356de6849daf62f12cabfd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 10:10:33 +0100
Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if
weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++
source4/torture/rpc/netlogon_crypto.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 82e3df055e7f..51e8dd42cdce 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
bool reject_des_client = !allow_nt4_crypto;
bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+ /*
+ * If weak cryto is disabled, do not announce that we support RC4.
+ */
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ /* Without RC4 and DES we require AES */
+ reject_des_client = true;
+ reject_md5_client = true;
+ }
+
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
reject_des_client = false;
}
diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c
index 05beb2b77b3b..85844604ee27 100644
--- a/source4/torture/rpc/netlogon_crypto.c
+++ b/source4/torture/rpc/netlogon_crypto.c
@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
force_client_rc4) {
torture_assert_ntstatus_equal(tctx,
a.out.result,
- NT_STATUS_ACCESS_DENIED,
+ NT_STATUS_DOWNGRADE_DETECTED,
"Unexpected status code");
return false;
}
--
2.34.1

36
backport-0017-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,36 @@
From e2fde13b01392410199b69be1b71c959e86b8e47 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 13:45:22 +1300
Subject: [PATCH 17/54] CVE-2022-37966 samba-tool: Fix 'domain trust create'
documentation
This option does the opposite of what the documentation claims.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6b155b22e6afa52ce29cc475840c1d745b0f1f5e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/netcmd/domain.py | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 2a548ed1ad4c..0051837138b2 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -2303,7 +2303,7 @@ class cmd_domain_trust_create(DomainTrustCommand):
dest='treat_as_external',
default=False),
Option("--no-aes-keys", action="store_false",
- help="The trust uses aes kerberos keys.",
+ help="The trust does not use AES kerberos keys.",
dest='use_aes_keys',
default=True),
Option("--skip-validation", action="store_false",
--
2.34.1

98
backport-0017-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,98 @@
From 2d179d5d7cd6a47a1a7922f09b63234a467bdad3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:26:18 +0100
Subject: [PATCH 17/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++---
lib/param/loadparm.c | 1 +
selftest/target/Samba4.pm | 4 ++++
source3/param/loadparm.c | 1 +
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 0bb9f6f6c8ec..edcbe02e99a3 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -7,11 +7,16 @@
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
<para>This option overrides the 'allow nt4 crypto' option.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 10157c95bc16..e509cf85bb89 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 191aa3b749ee..d0e5a53d9fb3 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1621,6 +1621,8 @@ sub provision_ad_dc_ntvfs($$$)
client min protocol = CORE
server min protocol = LANMAN1
+ reject md5 clients = no
+
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
@@ -1986,6 +1988,8 @@ sub provision_ad_dc($$$$$$$)
lpq cache time = 0
print notify backchannel = yes
+ reject md5 clients = no
+
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 91bb3c08327b..c88d241bcf78 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -668,6 +668,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
+ Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
--
2.34.1

46
backport-0018-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,46 @@
From 945c8c8306fe71dbe3fe14c42cb2dabc9853957e Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 13:47:06 +1300
Subject: [PATCH 18/54] CVE-2022-37966 samba-tool: Declare explicitly RC4
support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/netcmd/domain.py | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index 0051837138b2..e2eeabd6d1a1 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -2335,11 +2335,14 @@ class cmd_domain_trust_create(DomainTrustCommand):
if treat_as_external:
raise CommandError("--treat-as-external requires --type=forest")
- enc_types = None
+ enc_types = lsa.TrustDomainInfoSupportedEncTypes()
if use_aes_keys:
- enc_types = lsa.TrustDomainInfoSupportedEncTypes()
enc_types.enc_types = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
enc_types.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ else:
+ # CVE-2022-37966: Trust objects are no longer assumed to support
+ # RC4, so we must indicate support explicitly.
+ enc_types.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
--
2.34.1

185
backport-0018-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,185 @@
From 2c9f18c158860c33522d333da6c65e3e5ccb385f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 10:31:08 +0100
Subject: [PATCH 18/30] CVE-2022-38023 s4:rpc_server/netlogon: defer downgrade
check until we found the account in our SAM
We'll soon make it possible to use 'reject md5 servers:CLIENTACCOUNT$ = no',
which means we'll need use the account name from our SAM.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b09f51eefc311bbb1525efd1dc7b9a837f7ec3c2)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 76 +++++++++++++------
1 file changed, 53 insertions(+), 23 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 51e8dd42cdce..bf545adc45a9 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -311,13 +311,6 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
negotiate_flags = *r->in.negotiate_flags & server_flags;
- nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
- dce_call, r, pipe_state, negotiate_flags,
- NT_STATUS_OK);
- if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
- }
-
switch (r->in.secure_channel_type) {
case SEC_CHAN_WKSTA:
case SEC_CHAN_DNS_DOMAIN:
@@ -326,16 +319,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
case SEC_CHAN_RODC:
break;
case SEC_CHAN_NULL:
- return NT_STATUS_INVALID_PARAMETER;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_INVALID_PARAMETER);
default:
DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
r->in.secure_channel_type));
- return NT_STATUS_INVALID_PARAMETER;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_INVALID_PARAMETER);
}
sam_ctx = dcesrv_samdb_connect_as_system(mem_ctx, dce_call);
if (sam_ctx == NULL) {
- return NT_STATUS_INVALID_SYSTEM_SERVICE;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_INVALID_SYSTEM_SERVICE);
}
if (r->in.secure_channel_type == SEC_CHAN_DOMAIN ||
@@ -364,16 +363,22 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
encoded_name = ldb_binary_encode_string(mem_ctx,
r->in.account_name);
if (encoded_name == NULL) {
- return NT_STATUS_NO_MEMORY;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_MEMORY);
}
len = strlen(encoded_name);
if (len < 2) {
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (require_trailer && encoded_name[len - 1] != trailer) {
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
encoded_name[len - 1] = '\0';
@@ -391,30 +396,42 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
"but there's no tdo for [%s] => [%s] \n",
log_escape(mem_ctx, r->in.account_name),
encoded_name));
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ nt_status);
}
nt_status = dsdb_trust_get_incoming_passwords(tdo_msg, mem_ctx,
&curNtHash,
&prevNtHash);
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (!NT_STATUS_IS_OK(nt_status)) {
- return nt_status;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ nt_status);
}
flatname = ldb_msg_find_attr_as_string(tdo_msg, "flatName", NULL);
if (flatname == NULL) {
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
*trust_account_for_search = talloc_asprintf(mem_ctx, "%s$", flatname);
if (*trust_account_for_search == NULL) {
- return NT_STATUS_NO_MEMORY;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_MEMORY);
}
} else {
*trust_account_for_search = r->in.account_name;
@@ -429,14 +446,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (num_records == 0) {
DEBUG(3,("Couldn't find user [%s] in samdb.\n",
log_escape(mem_ctx, r->in.account_name)));
- return NT_STATUS_NO_TRUST_SAM_ACCOUNT;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (num_records > 1) {
DEBUG(0,("Found %d records matching user [%s]\n",
num_records,
log_escape(mem_ctx, r->in.account_name)));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_INTERNAL_DB_CORRUPTION);
}
*trust_account_in_db = ldb_msg_find_attr_as_string(msgs[0],
@@ -445,9 +466,18 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (*trust_account_in_db == NULL) {
DEBUG(0,("No samAccountName returned in record matching user [%s]\n",
r->in.account_name));
- return NT_STATUS_INTERNAL_DB_CORRUPTION;
+ return dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_INTERNAL_DB_CORRUPTION);
}
-
+
+ nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
+ dce_call, r, pipe_state, negotiate_flags,
+ NT_STATUS_OK);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+
user_account_control = ldb_msg_find_attr_as_uint(msgs[0], "userAccountControl", 0);
if (user_account_control & UF_ACCOUNTDISABLE) {
--
2.34.1

137
backport-0019-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,137 @@
From ff929d86bf96ebe41ee8ee0f1d069409308bc855 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Mon, 21 Nov 2022 18:05:36 +1300
Subject: [PATCH 19/54] CVE-2022-37966 tests/krb5: Test different preauth
etypes with Protected Users group
Extend the RC4 Protected Users tests to use different preauth etypes.
This helps test the nuances of the new expected behaviour and allows the
tests to continue passing.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a7a0b9ad0757d6586905d64bc645a8946fe5c10e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../samba/tests/krb5/protected_users_tests.py | 47 +++++++++++++++----
selftest/knownfail_mit_kdc | 6 ++-
2 files changed, 42 insertions(+), 11 deletions(-)
diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py
index a03ccaf0c66d..02d7356bb7dc 100755
--- a/python/samba/tests/krb5/protected_users_tests.py
+++ b/python/samba/tests/krb5/protected_users_tests.py
@@ -41,6 +41,7 @@ from samba.tests.krb5.rfc4120_constants import (
KDC_ERR_ETYPE_NOSUPP,
KDC_ERR_POLICY,
KDC_ERR_PREAUTH_REQUIRED,
+ KRB_ERROR,
NT_PRINCIPAL,
NT_SRV_INST,
)
@@ -451,11 +452,20 @@ class ProtectedUsersTests(KDCBaseTest):
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
- def test_rc4_protected(self):
+ def test_rc4_protected_aes256_preauth(self):
client_creds = self._get_creds(protected=True)
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
- expect_error=True, rc4_support=False)
+ preauth_etype=AES256_CTS_HMAC_SHA1_96,
+ rc4_support=False)
+
+ def test_rc4_protected_rc4_preauth(self):
+ client_creds = self._get_creds(protected=True)
+
+ self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+ preauth_etype=ARCFOUR_HMAC_MD5,
+ expect_error=True, rc4_support=False,
+ expect_edata=False)
# Test that AES256 can always be used.
def test_aes256_not_protected(self):
@@ -541,13 +551,24 @@ class ProtectedUsersTests(KDCBaseTest):
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5)
- def test_rc4_mac_protected(self):
+ def test_rc4_mac_protected_aes256_preauth(self):
client_creds = self._get_creds(
protected=True,
account_type=self.AccountType.COMPUTER)
self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
- expect_error=True, rc4_support=False)
+ preauth_etype=AES256_CTS_HMAC_SHA1_96,
+ rc4_support=False)
+
+ def test_rc4_mac_protected_rc4_preauth(self):
+ client_creds = self._get_creds(
+ protected=True,
+ account_type=self.AccountType.COMPUTER)
+
+ self._test_etype(client_creds, etype=ARCFOUR_HMAC_MD5,
+ preauth_etype=ARCFOUR_HMAC_MD5,
+ expect_error=True, rc4_support=False,
+ expect_edata=False)
def test_aes256_rc4_mac_not_protected(self):
client_creds = self._get_creds(
@@ -1009,7 +1030,10 @@ class ProtectedUsersTests(KDCBaseTest):
expected_error = KDC_ERR_ETYPE_NOSUPP if expect_error else 0
if preauth_etype is None:
- expected_error_mode = expected_error or KDC_ERR_PREAUTH_REQUIRED
+ if expected_error:
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED, expected_error
+ else:
+ expected_error_mode = KDC_ERR_PREAUTH_REQUIRED
rep, kdc_exchange_dict = self._test_as_exchange(
cname=cname,
@@ -1032,10 +1056,15 @@ class ProtectedUsersTests(KDCBaseTest):
ticket_decryption_key=ticket_decryption_key,
rc4_support=rc4_support,
expect_edata=expect_edata)
- self.check_error_rep(rep, expected_error_mode)
-
- if expect_error:
- return None
+ self.assertIsNotNone(rep)
+ self.assertEqual(KRB_ERROR, rep['msg-type'])
+ error_code = rep['error-code']
+ if expected_error:
+ self.assertIn(error_code, expected_error_mode)
+ if error_code == expected_error:
+ return
+ else:
+ self.assertEqual(expected_error_mode, error_code)
etype_info2 = kdc_exchange_dict['preauth_etype_info2']
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index d55908324acf..c5c42b170bd2 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -442,8 +442,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
# Protected Users tests
#
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_proxiable_as_protected_policy_error.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected.ad_dc
-^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_mac_protected_rc4_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_aes256_preauth.ad_dc
+^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_rc4_protected_rc4_preauth.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_samr_change_password_protected.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_not_protected.ad_dc
^samba.tests.krb5.protected_users_tests.samba.tests.krb5.protected_users_tests.ProtectedUsersTests.test_ts_aes128_mac_protected.ad_dc
--
2.34.1

203
backport-0019-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,203 @@
From fb1f31690d4f2e1498c2f7966543e99a3f239987 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:13:36 +0100
Subject: [PATCH 19/30] CVE-2022-38023 s4:rpc_server/netlogon: add 'server
reject md5 schannel:COMPUTERACCOUNT = no' and 'allow nt4
crypto:COMPUTERACCOUNT = yes'
This makes it more flexible when we change the global default to
'reject md5 servers = yes'.
'allow nt4 crypto = no' is already the default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 69b36541606d7064de9648cd54b35adfdf8f0e8f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 58 ++++++++++++++++++-
1 file changed, 55 insertions(+), 3 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index bf545adc45a9..a6e4499d5add 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -130,12 +130,48 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
struct netr_ServerAuthenticate3 *r,
struct netlogon_server_pipe_state *pipe_state,
uint32_t negotiate_flags,
+ const char *trust_account_in_db,
NTSTATUS orig_status)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- bool allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
- bool reject_des_client = !allow_nt4_crypto;
- bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
+ bool account_allow_nt4_crypto = global_allow_nt4_crypto;
+ const char *explicit_nt4_opt = NULL;
+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+ bool account_reject_md5_client = global_reject_md5_client;
+ const char *explicit_md5_opt = NULL;
+ bool reject_des_client;
+ bool allow_nt4_crypto;
+ bool reject_md5_client;
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+
+ if (trust_account_in_db != NULL) {
+ explicit_nt4_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "allow nt4 crypto",
+ trust_account_in_db);
+ }
+ if (explicit_nt4_opt != NULL) {
+ account_allow_nt4_crypto = lp_bool(explicit_nt4_opt);
+ }
+ allow_nt4_crypto = account_allow_nt4_crypto;
+ if (trust_account_in_db != NULL) {
+ explicit_md5_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server reject md5 schannel",
+ trust_account_in_db);
+ }
+ if (explicit_md5_opt != NULL) {
+ account_reject_md5_client = lp_bool(explicit_md5_opt);
+ }
+ reject_md5_client = account_reject_md5_client;
+
+ reject_des_client = !allow_nt4_crypto;
/*
* If weak cryto is disabled, do not announce that we support RC4.
@@ -321,12 +357,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
case SEC_CHAN_NULL:
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_INVALID_PARAMETER);
default:
DEBUG(1, ("Client asked for an invalid secure channel type: %d\n",
r->in.secure_channel_type));
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_INVALID_PARAMETER);
}
@@ -334,6 +372,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (sam_ctx == NULL) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_INVALID_SYSTEM_SERVICE);
}
@@ -365,6 +404,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (encoded_name == NULL) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_MEMORY);
}
@@ -372,12 +412,14 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (len < 2) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (require_trailer && encoded_name[len - 1] != trailer) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
encoded_name[len - 1] = '\0';
@@ -398,11 +440,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
encoded_name));
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (!NT_STATUS_IS_OK(nt_status)) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
nt_status);
}
@@ -412,11 +456,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (NT_STATUS_EQUAL(nt_status, NT_STATUS_ACCOUNT_DISABLED)) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
if (!NT_STATUS_IS_OK(nt_status)) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
nt_status);
}
@@ -424,6 +470,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (flatname == NULL) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
@@ -431,6 +478,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
if (*trust_account_for_search == NULL) {
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_MEMORY);
}
} else {
@@ -448,6 +496,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
log_escape(mem_ctx, r->in.account_name)));
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_NO_TRUST_SAM_ACCOUNT);
}
@@ -457,6 +506,7 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
log_escape(mem_ctx, r->in.account_name)));
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_INTERNAL_DB_CORRUPTION);
}
@@ -468,11 +518,13 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_helper(
r->in.account_name));
return dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ NULL, /* trust_account_in_db */
NT_STATUS_INTERNAL_DB_CORRUPTION);
}
nt_status = dcesrv_netr_ServerAuthenticate3_check_downgrade(
dce_call, r, pipe_state, negotiate_flags,
+ *trust_account_in_db,
NT_STATUS_OK);
if (!NT_STATUS_IS_OK(nt_status)) {
return nt_status;
--
2.34.1

2148
backport-0020-CVE-2022-37966.patch Normal file
View File

File diff suppressed because it is too large Load Diff

120
backport-0020-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,120 @@
From 41d64ebc813440e809909076c98de25084c4731b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:31:14 +0100
Subject: [PATCH 20/30] CVE-2022-38023 docs-xml/smbdotconf: document "allow nt4
crypto:COMPUTERACCOUNT = no"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit bd429d025981b445bf63935063e8e302bfab3f9b)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/allownt4crypto.xml | 76 +++++++++++++++++++-
1 file changed, 74 insertions(+), 2 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index 06afcef73b1b..bbd03a42db74 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -1,11 +1,18 @@
<samba:parameter name="allow nt4 crypto"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "no" (which will be
+ the hardcoded behavior in future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
- reject clients which does not support NETLOGON_NEG_STRONG_KEYS
+ reject clients which do not support NETLOGON_NEG_STRONG_KEYS
nor NETLOGON_NEG_SUPPORTS_AES.</para>
<para>This option was added with Samba 4.2.0. It may lock out clients
@@ -18,8 +25,73 @@
<para>"allow nt4 crypto = yes" allows weak crypto to be negotiated, maybe via downgrade attacks.</para>
- <para>This option is over-ridden by the 'reject md5 clients' option.</para>
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink></para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "yes" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
+
+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
</description>
<value type="default">no</value>
</samba:parameter>
+
+<samba:parameter name="allow nt4 crypto:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members which required 'allow nt4 crypto = yes',
+ it is possible to specify an explicit exception per computer account
+ by using 'allow nt4 crypto:COMPUTERACCOUNT = yes' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "yes",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
+
+ <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
+
+ <programlisting>
+ allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ allow nt4 crypto:NASBOX$ = yes
+ allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ </programlisting>
+</description>
+
+</samba:parameter>
--
2.34.1

282
backport-0021-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,282 @@
From 1a599de882b913f161427a4fa5736dd21d32c1d4 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Wed, 23 Nov 2022 16:05:04 +1300
Subject: [PATCH 21/54] CVE-2022-37966 selftest: Run S4U tests against FL2003
DC
This shows that changes around RC4 encryption types do not break older
functional levels where only RC4 keys are available.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 44802c46b18caf3c7f9f2fb1b66025fc30e22ac5)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/s4u_tests.py | 61 ++++++++++++++++++++++++++--
selftest/knownfail_mit_kdc | 7 ++++
source4/selftest/tests.py | 9 +++-
3 files changed, 71 insertions(+), 6 deletions(-)
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 84b8160bb931..97d07682ffe3 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -23,7 +23,7 @@ import functools
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
-from samba import ntstatus
+from samba import dsdb, ntstatus
from samba.dcerpc import krb5pac, lsa, security
from samba.tests import env_get_var_value
@@ -766,6 +766,13 @@ class S4UKerberosTests(KDCBaseTest):
# Ensure we used all the parameters given to us.
self.assertEqual({}, kdc_dict)
+ def skip_unless_fl2008(self):
+ samdb = self.get_samdb()
+ functional_level = self.get_domain_functional_level(samdb)
+
+ if functional_level < dsdb.DS_DOMAIN_FUNCTION_2008:
+ self.skipTest('RBCD requires FL2008')
+
def test_constrained_delegation(self):
# Test constrained delegation.
self._run_delegation_test(
@@ -913,6 +920,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_auth_data_required(self):
+ self.skip_unless_fl2008()
+
self._run_delegation_test(
{
'expected_error_mode': 0,
@@ -925,6 +934,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_existing_delegation_info(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation with an existing S4U_DELEGATION_INFO
# structure in the PAC.
@@ -952,6 +963,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_a(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -964,6 +977,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_b(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -979,6 +994,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_service_pac(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the service TGT does not contain a
# PAC.
self._run_delegation_test(
@@ -991,6 +1008,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_no_auth_data_required_a(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1006,6 +1025,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_client_pac_no_auth_data_required_b(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the client service ticket does not
# contain a PAC, and a non-empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1024,6 +1045,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_service_pac_no_auth_data_required(self):
+ self.skip_unless_fl2008()
+
# Test constrained delegation when the service TGT does not contain a
# PAC.
self._run_delegation_test(
@@ -1039,6 +1062,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_non_forwardable(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation with a non-forwardable
# ticket.
self._run_delegation_test(
@@ -1052,6 +1077,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_pac_options_a(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation without the RBCD bit set
# in the PAC options, and an empty msDS-AllowedToDelegateTo attribute.
self._run_delegation_test(
@@ -1063,6 +1090,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_no_pac_options_b(self):
+ self.skip_unless_fl2008()
+
# Test resource-based constrained delegation without the RBCD bit set
# in the PAC options, and a non-empty msDS-AllowedToDelegateTo
# attribute.
@@ -1092,6 +1121,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_bronze_bit_rbcd_old_checksum(self):
+ self.skip_unless_fl2008()
+
# Attempt to modify the ticket without updating the PAC checksums.
self._run_delegation_test(
{
@@ -1141,6 +1172,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_missing_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket without the required checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1161,6 +1194,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_missing_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket without the required checksums.
for checksum in (krb5pac.PAC_TYPE_SRV_CHECKSUM,
krb5pac.PAC_TYPE_KDC_CHECKSUM):
@@ -1212,6 +1247,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_zeroed_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with invalid checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1227,6 +1264,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_zeroed_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket with invalid checksums.
for checksum in self.pac_checksum_types:
with self.subTest(checksum=checksum):
@@ -1302,6 +1341,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_unkeyed_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with invalid checksums.
for checksum in self.pac_checksum_types:
for ctype in self.unkeyed_ctypes:
@@ -1325,6 +1366,8 @@ class S4UKerberosTests(KDCBaseTest):
})
def test_rbcd_unkeyed_service_checksum(self):
+ self.skip_unless_fl2008()
+
# Present the service's ticket with invalid checksums.
for checksum in self.pac_checksum_types:
for ctype in self.unkeyed_ctypes:
@@ -1354,18 +1397,28 @@ class S4UKerberosTests(KDCBaseTest):
def test_constrained_delegation_rc4_client_checksum(self):
# Present a user ticket with RC4 checksums.
- expected_error_mode = (KDC_ERR_GENERIC,
- KDC_ERR_INAPP_CKSUM)
+ samdb = self.get_samdb()
+ functional_level = self.get_domain_functional_level(samdb)
+
+ if functional_level >= dsdb.DS_DOMAIN_FUNCTION_2008:
+ expected_error_mode = (KDC_ERR_GENERIC,
+ KDC_ERR_INAPP_CKSUM)
+ expect_edata = False
+ else:
+ expected_error_mode = 0
+ expect_edata = None
self._run_delegation_test(
{
'expected_error_mode': expected_error_mode,
'allow_delegation': True,
'modify_client_tkt_fn': self.rc4_pac_checksums,
- 'expect_edata': False,
+ 'expect_edata': expect_edata,
})
def test_rbcd_rc4_client_checksum(self):
+ self.skip_unless_fl2008()
+
# Present a user ticket with RC4 checksums.
expected_error_mode = (KDC_ERR_GENERIC,
KDC_ERR_BADOPTION)
diff --git a/selftest/knownfail_mit_kdc b/selftest/knownfail_mit_kdc
index 223df5602ca1..ed24afcd0034 100644
--- a/selftest/knownfail_mit_kdc
+++ b/selftest/knownfail_mit_kdc
@@ -1074,3 +1074,10 @@ samba.tests.krb5.as_canonicalization_tests.samba.tests.krb5.as_canonicalization_
#
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.ad_dc
^samba.tests.krb5.compatability_tests.samba.tests.krb5.compatability_tests.SimpleKerberosTests.test_full_signature.fl2003dc
+#
+# S4U tests
+#
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_authentication_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_rc4_client_checksum.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_constrained_delegation_service_asserted_identity.fl2003dc:local
+^samba.tests.krb5.s4u_tests.samba.tests.krb5.s4u_tests.S4UKerberosTests.test_s4u2self_asserted_identity.fl2003dc:local
diff --git a/source4/selftest/tests.py b/source4/selftest/tests.py
index ac8a40ea6bc1..c6bf668aa9cb 100755
--- a/source4/selftest/tests.py
+++ b/source4/selftest/tests.py
@@ -1040,8 +1040,13 @@ krb5_environ = {
planoldpythontestsuite("none", "samba.tests.krb5.kcrypto")
planoldpythontestsuite("ad_dc_default", "samba.tests.krb5.simple_tests",
environ=krb5_environ)
-planoldpythontestsuite("ad_dc_default:local", "samba.tests.krb5.s4u_tests",
- environ=krb5_environ)
+for env, fast_support in [("ad_dc_default:local", True),
+ ("fl2003dc:local", False)]:
+ planoldpythontestsuite(env, "samba.tests.krb5.s4u_tests",
+ environ={
+ **krb5_environ,
+ 'FAST_SUPPORT': int(fast_support),
+ })
planoldpythontestsuite("rodc:local", "samba.tests.krb5.rodc_tests",
environ=krb5_environ)
--
2.34.1

177
backport-0021-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,177 @@
From 7f5e36250fa7121435f315cffa7b7059d3fe40a8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 14:02:11 +0100
Subject: [PATCH 21/30] CVE-2022-38023 docs-xml/smbdotconf: document "server
reject md5 schannel:COMPUTERACCOUNT"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 2ad302b42254e3c2800aaf11669fe2e6d55fa8a1)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/allownt4crypto.xml | 13 ++-
.../smbdotconf/logon/rejectmd5clients.xml | 96 ++++++++++++++++++-
2 files changed, 103 insertions(+), 6 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/allownt4crypto.xml b/docs-xml/smbdotconf/logon/allownt4crypto.xml
index bbd03a42db74..ee63e6cc2453 100644
--- a/docs-xml/smbdotconf/logon/allownt4crypto.xml
+++ b/docs-xml/smbdotconf/logon/allownt4crypto.xml
@@ -45,7 +45,9 @@
in order to collect the explicit
'<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>' options.</para>
- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
</description>
<value type="default">no</value>
@@ -85,12 +87,19 @@
<para>This option overrides the <smbconfoption name="allow nt4 crypto"/> option.</para>
- <para>This option is over-ridden by the '<smbconfoption name="reject md5 clients">yes</smbconfoption>' option.</para>
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="reject md5 clients"/>' options.</para>
+ <para>Which means '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">yes</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'</para>
<programlisting>
allow nt4 crypto:LEGACYCOMPUTER1$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
allow nt4 crypto:NASBOX$ = yes
+ server reject md5 schannel:NASBOX$ = no
allow nt4 crypto:LEGACYCOMPUTER2$ = yes
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index edcbe02e99a3..fe7701d92772 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -1,8 +1,15 @@
<samba:parameter name="reject md5 clients"
context="G"
type="boolean"
+ deprecated="1"
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
<description>
+ <para>
+ This option is deprecated and will be removed in a future release,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in the future).
+ </para>
+
<para>This option controls whether the netlogon server (currently
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
@@ -10,13 +17,94 @@
<para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
starting with Server 2008R2 and Windows 7, it's available in Samba
starting with 4.0, however third party domain members like NetApp ONTAP
- still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
+ still uses RC4 (HMAC-MD5), see
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">https://www.samba.org/samba/security/CVE-2022-38023.html</ulink>
+ for more details.
+ </para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para><emphasis>Avoid using this option!</emphasis> Use an explicit per machine account
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
- <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
- see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
- <para>This option overrides the 'allow nt4 crypto' option.</para>
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server reject md5 schannel:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
</description>
<value type="default">yes</value>
</samba:parameter>
+
+<samba:parameter name="server reject md5 schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>If you still have legacy domain members or trusted domains,
+ which required "reject md5 clients = no" before,
+ it is possible to specify an explicit exception per computer account
+ by setting 'server reject md5 schannel:COMPUTERACCOUNT = no'.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will log a warning in the log files at log level 5
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>This option overrides the <smbconfoption name="reject md5 clients"/> option.</para>
+
+ <para>When set to 'yes' this option overrides the
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="allow nt4 crypto"/>' options and implies
+ '<smbconfoption name="allow nt4 crypto:COMPUTERACCOUNT">no</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server reject md5 schannel:LEGACYCOMPUTER1$ = no
+ server reject md5 schannel:NASBOX$ = no
+ server reject md5 schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
--
2.34.1

1289
backport-0022-CVE-2022-37966.patch Normal file
View File

File diff suppressed because it is too large Load Diff

216
backport-0022-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,216 @@
From 3c9bb4c8d233909e825818f7975d734824465d50 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 13:13:36 +0100
Subject: [PATCH 22/30] CVE-2022-38023 s4:rpc_server/netlogon: debug 'reject
md5 servers' and 'allow nt4 crypto' misconfigurations
This allows the admin to notice what's wrong in order to adjust the
configuration if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 43df4be35950f491864ae8ada05d51b42a556381)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 143 ++++++++++++++++++
1 file changed, 143 insertions(+)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index a6e4499d5add..ec5807ef22af 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -64,10 +64,34 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
const struct dcesrv_interface *iface)
{
struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
+ bool global_allow_nt4_crypto = lpcfg_allow_nt4_crypto(lp_ctx);
+ bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
+ static bool warned_global_nt4_once = false;
+ static bool warned_global_md5_once = false;
static bool warned_global_schannel_once = false;
+ if (global_allow_nt4_crypto && !warned_global_nt4_once) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ D_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'allow nt4 crypto = no' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_nt4_once = true;
+ }
+
+ if (!global_reject_md5_client && !warned_global_md5_once) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ D_ERR("CVE-2022-38023: "
+ "Please configure 'reject md5 clients = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_md5_once = true;
+ }
+
if (!schannel_global_required && !warned_global_schannel_once) {
/*
* We want admins to notice their misconfiguration!
@@ -143,6 +167,12 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
bool reject_des_client;
bool allow_nt4_crypto;
bool reject_md5_client;
+ bool need_des = true;
+ bool need_md5 = true;
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
/*
* We don't use lpcfg_parm_bool(), as we
@@ -183,19 +213,84 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
}
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
+ need_des = false;
reject_des_client = false;
}
if (negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
+ need_des = false;
+ need_md5 = false;
reject_des_client = false;
reject_md5_client = false;
}
if (reject_des_client || reject_md5_client) {
+ TALLOC_CTX *frame = talloc_stackframe();
+
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ if (CVE_2022_38023_error_level < DBGLVL_NOTICE) {
+ CVE_2022_38023_error_level = DBGLVL_NOTICE;
+ }
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: "
+ "client_account[%s] computer_name[%s] "
+ "schannel_type[%u] "
+ "client_negotiate_flags[0x%x] "
+ "%s%s%s "
+ "NT_STATUS_DOWNGRADE_DETECTED "
+ "WEAK_CRYPTO_DISALLOWED\n",
+ log_escape(frame, r->in.account_name),
+ log_escape(frame, r->in.computer_name),
+ r->in.secure_channel_type,
+ (unsigned)*r->in.negotiate_flags,
+ trust_account_in_db ? "real_account[" : "",
+ trust_account_in_db ? trust_account_in_db : "",
+ trust_account_in_db ? "]" : ""));
+ goto return_downgrade;
+ }
+
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: "
+ "client_account[%s] computer_name[%s] "
+ "schannel_type[%u] "
+ "client_negotiate_flags[0x%x] "
+ "%s%s%s "
+ "NT_STATUS_DOWNGRADE_DETECTED "
+ "reject_des[%u] reject_md5[%u]\n",
+ log_escape(frame, r->in.account_name),
+ log_escape(frame, r->in.computer_name),
+ r->in.secure_channel_type,
+ (unsigned)*r->in.negotiate_flags,
+ trust_account_in_db ? "real_account[" : "",
+ trust_account_in_db ? trust_account_in_db : "",
+ trust_account_in_db ? "]" : "",
+ reject_des_client,
+ reject_md5_client));
+ if (trust_account_in_db == NULL) {
+ goto return_downgrade;
+ }
+
+ if (reject_md5_client && explicit_md5_opt == NULL) {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server reject md5 schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ trust_account_in_db));
+ }
+ if (reject_des_client && explicit_nt4_opt == NULL) {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'allow nt4 crypto:%s = yes' "
+ "might be needed for a legacy client.\n",
+ trust_account_in_db));
+ }
+
+return_downgrade:
/*
* Here we match Windows 2012 and return no flags.
*/
*r->out.negotiate_flags = 0;
+ TALLOC_FREE(frame);
return NT_STATUS_DOWNGRADE_DETECTED;
}
@@ -228,6 +323,54 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
*/
*r->out.negotiate_flags = negotiate_flags;
+ if (!NT_STATUS_IS_OK(orig_status) || trust_account_in_db == NULL) {
+ return orig_status;
+ }
+
+ if (global_reject_md5_client && account_reject_md5_client && explicit_md5_opt) {
+ D_INFO("CVE-2022-38023: Check if option "
+ "'server reject md5 schannel:%s = yes' not needed!?\n",
+ trust_account_in_db);
+ } else if (need_md5 && !account_reject_md5_client && explicit_md5_opt) {
+ D_INFO("CVE-2022-38023: Check if option "
+ "'server reject md5 schannel:%s = no' "
+ "still needed for a legacy client.\n",
+ trust_account_in_db);
+ } else if (need_md5 && explicit_md5_opt == NULL) {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server reject md5 schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ trust_account_in_db));
+ } else if (!account_reject_md5_client && explicit_md5_opt) {
+ DEBUG(CVE_2022_38023_warn_level, (
+ "CVE-2022-38023: Check if option "
+ "'server reject md5 schannel:%s = no' not needed!?\n",
+ trust_account_in_db));
+ }
+
+ if (!global_allow_nt4_crypto && !account_allow_nt4_crypto && explicit_nt4_opt) {
+ D_INFO("CVE-2022-38023: Check if option "
+ "'allow nt4 crypto:%s = no' not needed!?\n",
+ trust_account_in_db);
+ } else if (need_des && account_allow_nt4_crypto && explicit_nt4_opt) {
+ D_INFO("CVE-2022-38023: Check if option "
+ "'allow nt4 crypto:%s = yes' "
+ "still needed for a legacy client.\n",
+ trust_account_in_db);
+ } else if (need_des && explicit_nt4_opt == NULL) {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'allow nt4 crypto:%s = yes' "
+ "might be needed for a legacy client.\n",
+ trust_account_in_db));
+ } else if (account_allow_nt4_crypto && explicit_nt4_opt) {
+ DEBUG(CVE_2022_38023_warn_level, (
+ "CVE-2022-38023: Check if option "
+ "'allow nt4 crypto:%s = yes' not needed!?\n",
+ trust_account_in_db));
+ }
+
return orig_status;
}
--
2.34.1

41
backport-0023-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,41 @@
From bf3f8c462bf8a33c5bc1e4d3dae3eb4bab792252 Mon Sep 17 00:00:00 2001
From: Joseph Sutton <josephsutton@catalyst.net.nz>
Date: Tue, 22 Nov 2022 11:32:34 +1300
Subject: [PATCH 23/54] CVE-2022-37966 kdc: Assume trust objects support AES by
default
As part of matching the behaviour of Windows, assume that trust objects
support AES256, but not RC4, if not specified otherwise.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4bb50c868c8ed14372cb7d27e53cdaba265fc33d)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/kdc/db-glue.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index e8a293633ce8..d1ba6b77840c 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1597,9 +1597,10 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
ZERO_STRUCTP(entry);
if (dsdb_functional_level(kdc_db_ctx->samdb) >= DS_DOMAIN_FUNCTION_2008) {
+ /* If not told otherwise, Windows now assumes that trusts support AES. */
supported_enctypes = ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
- supported_enctypes);
+ ENC_HMAC_SHA1_96_AES256);
}
status = dsdb_trust_parse_tdo_info(mem_ctx, msg, &tdo);
--
2.34.1

137
backport-0023-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,137 @@
From a87adec3f25bdbdcec2955ab32f55605d3e472d2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 14:57:20 +0100
Subject: [PATCH 23/30] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4
crypto = yes' and 'reject md5 clients = no'
Instead of using the generic deprecated option use the specific
allow nt4 crypto:COMPUTERACCOUNT = yes and
server reject md5 schannel:COMPUTERACCOUNT = no
in order to allow legacy tests for pass.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++-----
1 file changed, 53 insertions(+), 7 deletions(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index d0e5a53d9fb3..3328cf617225 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1609,7 +1609,6 @@ sub provision_ad_dc_ntvfs($$$)
my $extra_conf_options = "netbios aliases = localDC1-a
server services = +winbind -winbindd
ldap server require strong auth = allow_sasl_over_tls
- allow nt4 crypto = yes
raw NTLMv2 auth = yes
lsa over netlogon = yes
rpc server port = 1027
@@ -1621,9 +1620,19 @@ sub provision_ad_dc_ntvfs($$$)
client min protocol = CORE
server min protocol = LANMAN1
- reject md5 clients = no
-
CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ allow nt4 crypto:torturetest\$ = yes
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
server require schannel:schannel2\$ = no
@@ -1678,6 +1687,13 @@ sub provision_fl2000dc($$)
kdc enable fast = no
spnego:simulate_w2k=yes
ntlmssp_server:force_old_spnego=yes
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
";
my $extra_provision_options = ["--base-schema=2008_R2"];
# This environment uses plain text secrets
@@ -1718,11 +1734,23 @@ sub provision_fl2003dc($$$)
my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2");
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
- my $extra_conf_options = "allow dns updates = nonsecure and secure
+ my $extra_conf_options = "
+ allow dns updates = nonsecure and secure
+
kdc enable fast = no
dcesrv:header signing = no
dcesrv:max auth states = 0
- dns forwarder = $ip_addr1 [$ip_addr2]:54";
+
+ dns forwarder = $ip_addr1 [$ip_addr2]:54
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+";
+
my $extra_provision_options = ["--base-schema=2008_R2"];
my $ret = $self->provision($prefix,
"domain controller",
@@ -1777,6 +1805,13 @@ sub provision_fl2008r2dc($$$)
ldap server require strong auth = no
# delay by 10 seconds, 10^7 usecs
ldap_server:delay_expire_disconnect = 10000
+
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
";
my $extra_provision_options = ["--base-schema=2008_R2"];
my $ret = $self->provision($prefix,
@@ -1988,9 +2023,20 @@ sub provision_ad_dc($$$$$$$)
lpq cache time = 0
print notify backchannel = yes
- reject md5 clients = no
-
CVE_2020_1472:warn_about_unused_debug_level = 3
+ CVE_2022_38023:warn_about_unused_debug_level = 3
+ CVE_2022_38023:error_debug_level = 2
+ server reject md5 schannel:schannel2\$ = no
+ server reject md5 schannel:schannel3\$ = no
+ server reject md5 schannel:schannel8\$ = no
+ server reject md5 schannel:schannel9\$ = no
+ server reject md5 schannel:torturetest\$ = no
+ server reject md5 schannel:tests4u2proxywk\$ = no
+ server reject md5 schannel:tests4u2selfbdc\$ = no
+ server reject md5 schannel:tests4u2selfwk\$ = no
+ server reject md5 schannel:torturepacbdc\$ = no
+ server reject md5 schannel:torturepacwksta\$ = no
+ server reject md5 schannel:samlogontest\$ = no
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
server require schannel:schannel2\$ = no
--
2.34.1

34
backport-0024-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,34 @@
From 757be0ca60a35e174b7ffb89afb907e4857f734f Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Sun, 4 Dec 2022 21:05:39 +0100
Subject: [PATCH 24/54] CVE-2022-37966 s4:kdc: also limit the krbtgt history to
their strongest keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 6b46b764fc5760d3bf83bb1ea5fa398d993cf68d)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/kdc/db-glue.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index d1ba6b77840c..c706898e29b9 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1518,6 +1518,8 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
if (entry->etypes != NULL) {
entry->etypes->len = 1;
}
+ entry->old_keys.len = MIN(entry->old_keys.len, 1);
+ entry->older_keys.len = MIN(entry->older_keys.len, 1);
}
#endif
} else if (kdc_db_ctx->rodc) {
--
2.34.1

170
backport-0024-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,170 @@
From b13741426ca871ccf060b346b33847149af53189 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 16:57:24 +0100
Subject: [PATCH 24/30] CVE-2022-38023 s4:rpc_server/netlogon: split out
dcesrv_netr_check_schannel() function
This will allow us to reuse the function in other places.
As it will also get some additional checks soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f43dc4f0bd60d4e127b714565147f82435aa4f07)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 84 +++++++++++--------
1 file changed, 51 insertions(+), 33 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index ec5807ef22af..64d75c514f32 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -877,18 +877,11 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
}
-/*
- * NOTE: The following functions are nearly identical to the ones available in
- * source3/rpc_server/srv_nelog_nt.c
- * The reason we keep 2 copies is that they use different structures to
- * represent the auth_info and the decrpc pipes.
- */
-static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
- TALLOC_CTX *mem_ctx,
- const char *computer_name,
- struct netr_Authenticator *received_authenticator,
- struct netr_Authenticator *return_authenticator,
- struct netlogon_creds_CredentialState **creds_out)
+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
+ const struct netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ uint16_t opnum)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
TALLOC_CTX *frame = talloc_stackframe();
@@ -897,15 +890,11 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
bool schannel_global_required = (schannel == true);
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
- struct netlogon_creds_CredentialState *creds = NULL;
int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
unsigned int dbg_lvl = DBGLVL_DEBUG;
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
- uint16_t opnum = dce_call->pkt.u.request.opnum;
const char *opname = "<unknown>";
const char *reason = "<unknown>";
@@ -913,8 +902,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
opname = ndr_table_netlogon.calls[opnum].name;
}
- dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
-
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
reason = "WITH SEALED";
@@ -927,17 +914,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
reason = "WITHOUT";
}
- nt_status = schannel_check_creds_state(mem_ctx,
- lp_ctx,
- computer_name,
- received_authenticator,
- return_authenticator,
- &creds);
- if (!NT_STATUS_IS_OK(nt_status)) {
- ZERO_STRUCTP(return_authenticator);
- return nt_status;
- }
-
/*
* We don't use lpcfg_parm_bool(), as we
* need the explicit_opt pointer in order to
@@ -977,7 +953,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
log_escape(frame, creds->computer_name)));
}
- *creds_out = creds;
TALLOC_FREE(frame);
return nt_status;
}
@@ -1011,8 +986,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
"might be needed for a legacy client.\n",
log_escape(frame, creds->account_name)));
}
- TALLOC_FREE(creds);
- ZERO_STRUCTP(return_authenticator);
TALLOC_FREE(frame);
return nt_status;
}
@@ -1056,11 +1029,56 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
log_escape(frame, creds->computer_name)));
}
- *creds_out = creds;
TALLOC_FREE(frame);
return NT_STATUS_OK;
}
+/*
+ * NOTE: The following functions are nearly identical to the ones available in
+ * source3/rpc_server/srv_nelog_nt.c
+ * The reason we keep 2 copies is that they use different structures to
+ * represent the auth_info and the decrpc pipes.
+ */
+static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dce_call,
+ TALLOC_CTX *mem_ctx,
+ const char *computer_name,
+ struct netr_Authenticator *received_authenticator,
+ struct netr_Authenticator *return_authenticator,
+ struct netlogon_creds_CredentialState **creds_out)
+{
+ NTSTATUS nt_status;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
+
+ nt_status = schannel_check_creds_state(mem_ctx,
+ dce_call->conn->dce_ctx->lp_ctx,
+ computer_name,
+ received_authenticator,
+ return_authenticator,
+ &creds);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ ZERO_STRUCTP(return_authenticator);
+ return nt_status;
+ }
+
+ nt_status = dcesrv_netr_check_schannel(dce_call,
+ creds,
+ auth_type,
+ auth_level,
+ dce_call->pkt.u.request.opnum);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ TALLOC_FREE(creds);
+ ZERO_STRUCTP(return_authenticator);
+ return nt_status;
+ }
+
+ *creds_out = creds;
+ return NT_STATUS_OK;
+}
+
/*
Change the machine account password for the currently connected
client. Supplies only the NT#.
--
2.34.1

43
backport-0025-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,43 @@
From a8a1c63c1fb37d500103e92199e149e0c7c2ecfa Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:12:14 +0100
Subject: [PATCH 25/54] CVE-2022-37966 wafsamba: add support for
CHECK_VARIABLE(mandatory=True)
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9da028c46f70db60a80d47f5dadbec194510211f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
buildtools/wafsamba/samba_autoconf.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/buildtools/wafsamba/samba_autoconf.py b/buildtools/wafsamba/samba_autoconf.py
index 3ca2f3341901..834acb70097b 100644
--- a/buildtools/wafsamba/samba_autoconf.py
+++ b/buildtools/wafsamba/samba_autoconf.py
@@ -185,7 +185,8 @@ def CHECK_TYPE_IN(conf, t, headers=None, alternate=None, define=None, cflags='')
@conf
def CHECK_VARIABLE(conf, v, define=None, always=False,
- headers=None, msg=None, lib=None):
+ headers=None, msg=None, lib=None,
+ mandatory=False):
'''check for a variable declaration (or define)'''
if define is None:
define = 'HAVE_%s' % v.upper()
@@ -209,6 +210,7 @@ def CHECK_VARIABLE(conf, v, define=None, always=False,
lib=lib,
headers=headers,
define=define,
+ mandatory=mandatory,
always=always)
--
2.34.1

85
backport-0025-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,85 @@
From 953b8052a1f61fe5cdd81896d0101acf47ead205 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 17:15:36 +0100
Subject: [PATCH 25/30] CVE-2022-38023 s4:rpc_server/netlogon: make sure all
dcesrv_netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
which are also required for dcesrv_netr_LogonSamLogonEx().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 689507457f5e6666488732f91a355a2183fb1662)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 36 +++++++++++++++----
1 file changed, 29 insertions(+), 7 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 64d75c514f32..a9b16e5c42a3 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -1401,6 +1401,35 @@ static NTSTATUS dcesrv_netr_LogonSamLogon_base_call(struct dcesrv_netr_LogonSamL
struct auth_usersupplied_info *user_info = NULL;
NTSTATUS nt_status;
struct tevent_req *subreq = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+
+ dcesrv_call_auth_info(dce_call, &auth_type, &auth_level);
+
+ switch (dce_call->pkt.u.request.opnum) {
+ case NDR_NETR_LOGONSAMLOGON:
+ case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
+ /*
+ * These already called dcesrv_netr_check_schannel()
+ * via dcesrv_netr_creds_server_step_check()
+ */
+ break;
+ case NDR_NETR_LOGONSAMLOGONEX:
+ default:
+ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ nt_status = dcesrv_netr_check_schannel(dce_call,
+ creds,
+ auth_type,
+ auth_level,
+ dce_call->pkt.u.request.opnum);
+ if (!NT_STATUS_IS_OK(nt_status)) {
+ return nt_status;
+ }
+ break;
+ }
*r->out.authoritative = 1;
@@ -1749,7 +1778,6 @@ static void dcesrv_netr_LogonSamLogon_base_reply(
static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call, TALLOC_CTX *mem_ctx,
struct netr_LogonSamLogonEx *r)
{
- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
struct dcesrv_netr_LogonSamLogon_base_state *state;
NTSTATUS nt_status;
@@ -1787,12 +1815,6 @@ static NTSTATUS dcesrv_netr_LogonSamLogonEx(struct dcesrv_call_state *dce_call,
return nt_status;
}
- dcesrv_call_auth_info(dce_call, &auth_type, NULL);
-
- if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- return NT_STATUS_ACCESS_DENIED;
- }
-
nt_status = dcesrv_netr_LogonSamLogon_base_call(state);
if (dce_call->state_flags & DCESRV_CALL_STATE_FLAG_ASYNC) {
--
2.34.1

39
backport-0026-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,39 @@
From d71406984c7777968c20cbad7963ea606e1b8755 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:12:47 +0100
Subject: [PATCH 26/54] CVE-2022-37966 system_mitkrb5: require support for aes
enctypes
This will never fail as we already require a version that supports aes,
but this makes it clearer.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a80f8e1b826ee3f9bbb22752464a73b97c2a612d)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
wscript_configure_system_mitkrb5 | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/wscript_configure_system_mitkrb5 b/wscript_configure_system_mitkrb5
index b06406542607..9b18d5d9d820 100644
--- a/wscript_configure_system_mitkrb5
+++ b/wscript_configure_system_mitkrb5
@@ -180,8 +180,8 @@ conf.CHECK_VARIABLE('AP_OPTS_USE_SUBKEY', headers='krb5.h', lib='krb5')
conf.CHECK_VARIABLE('KV5M_KEYTAB', headers='krb5.h', lib='krb5')
conf.CHECK_VARIABLE('KRB5_KU_OTHER_CKSUM', headers='krb5.h', lib='krb5')
conf.CHECK_VARIABLE('KRB5_KEYUSAGE_APP_DATA_CKSUM', headers='krb5.h', lib='krb5')
-conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5')
-conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5')
+conf.CHECK_VARIABLE('ENCTYPE_AES128_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5', mandatory=True)
+conf.CHECK_VARIABLE('ENCTYPE_AES256_CTS_HMAC_SHA1_96', headers='krb5.h', lib='krb5', mandatory=True)
conf.CHECK_DECLS('KRB5_PDU_NONE', reverse=True, headers='krb5.h', lib='krb5')
conf.CHECK_STRUCTURE_MEMBER('krb5_keytab_entry', 'key',
headers='krb5.h',
--
2.34.1

257
backport-0026-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,257 @@
From fa1144918cac0be0a31fc886ee2fd6c20ce636c4 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 16:53:35 +0100
Subject: [PATCH 26/30] CVE-2022-38023 docs-xml/smbdotconf: add "server
schannel require seal[:COMPUTERACCOUNT]" options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 7732a4b0bde1d9f98a0371f17d22648495329470)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
.../smbdotconf/security/serverschannel.xml | 43 ++++++-
.../security/serverschannelrequireseal.xml | 118 ++++++++++++++++++
lib/param/loadparm.c | 1 +
source3/param/loadparm.c | 1 +
4 files changed, 157 insertions(+), 6 deletions(-)
create mode 100644 docs-xml/smbdotconf/security/serverschannelrequireseal.xml
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml
index 394ffdc36fbd..5c69f0f64dfb 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -12,19 +12,37 @@
the hardcoded behavior in future).
</para>
- <para>
- Samba will complain in the log files at log level 0,
- about the security problem if the option is not set to "yes".
+ <para><emphasis>Avoid using this option!</emphasis> Use explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' instead!
</para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2020_1472:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
<para>
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+ This allows admins to use "auto" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>' options.
</para>
- <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
</para>
<para>This option is over-ridden by the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para>
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+
</description>
<value type="default">yes</value>
@@ -48,6 +66,9 @@
about the security problem if the option is not set to "no",
but the related computer is actually using the netlogon
secure channel (schannel) feature.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2020_1472:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
</para>
<para>
@@ -56,15 +77,25 @@
</para>
<para>
- See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497
+ See <ulink url="https://www.samba.org/samba/security/CVE-2020-1472.html">CVE-2020-1472(ZeroLogon)</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=14497">https://bugzilla.samba.org/show_bug.cgi?id=14497</ulink>.
</para>
<para>This option overrides the <smbconfoption name="server schannel"/> option.</para>
+ <para>This option is over-ridden by the effective value of 'yes' from
+ the '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>'
+ and/or '<smbconfoption name="server schannel require seal"/>' options.</para>
+ <para>Which means '<smbconfoption name="server require schannel:COMPUTERACCOUNT">no</smbconfoption>'
+ is only useful in combination with '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'</para>
+
<programlisting>
server require schannel:LEGACYCOMPUTER1$ = no
+ server require schannel seal:LEGACYCOMPUTER1$ = no
server require schannel:NASBOX$ = no
+ server require schannel seal:NASBOX$ = no
server require schannel:LEGACYCOMPUTER2$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
</programlisting>
</description>
diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
new file mode 100644
index 000000000000..d4620d1252dd
--- /dev/null
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -0,0 +1,118 @@
+<samba:parameter name="server schannel require seal"
+ context="G"
+ type="boolean"
+ deprecated="1"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
+ </para>
+
+ <para>
+ This option controls whether the netlogon server (currently
+ only in 'active directory domain controller' mode), will
+ reject the usage of netlogon secure channel without privacy/enryption.
+ </para>
+
+ <para>
+ The option is modelled after the registry key available on Windows.
+ </para>
+
+ <programlisting>
+ HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters\RequireSeal=2
+ </programlisting>
+
+ <para>
+ <emphasis>Avoid using this option!</emphasis> Use the per computer account specific option
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/>' instead!
+ Which is available with the patches for
+ <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>
+ see <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ Samba will log an error in the log files at log level 0
+ if legacy a client is rejected or allowed without an explicit,
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' option
+ for the client. The message will indicate
+ the explicit '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>'
+ line to be added, if the legacy client software requires it. (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:error_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>This allows admins to use "no" only for a short grace period,
+ in order to collect the explicit
+ '<smbconfoption name="server schannel require seal:COMPUTERACCOUNT">no</smbconfoption>' options.</para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <para>
+ This option is over-ridden by the <smbconfoption name="server schannel require seal:COMPUTERACCOUNT"/> option.
+ </para>
+
+</description>
+
+<value type="default">yes</value>
+</samba:parameter>
+
+<samba:parameter name="server schannel require seal:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+
+ <para>
+ If you still have legacy domain members, which required "server schannel require seal = no" before,
+ it is possible to specify explicit exception per computer account
+ by using 'server schannel require seal:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will log a complaint in the log files at log level 0
+ about the security problem if the option is set to "no",
+ but the related computer does not require it.
+ (The log level can be adjusted with
+ '<smbconfoption name="CVE_2022_38023:warn_about_unused_debug_level">1</smbconfoption>'
+ in order to complain only at a higher log level).
+ </para>
+
+ <para>
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See <ulink url="https://www.samba.org/samba/security/CVE-2022-38023.html">CVE-2022-38023</ulink>,
+ <ulink url="https://bugzilla.samba.org/show_bug.cgi?id=15240">https://bugzilla.samba.org/show_bug.cgi?id=15240</ulink>.
+ </para>
+
+ <para>
+ This option overrides the '<smbconfoption name="server schannel require seal"/>' option.
+ </para>
+
+ <para>
+ When set to 'yes' this option overrides the
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT"/>' and
+ '<smbconfoption name="server schannel"/>' options and implies
+ '<smbconfoption name="server require schannel:COMPUTERACCOUNT">yes</smbconfoption>'.
+ </para>
+
+ <programlisting>
+ server require schannel seal:LEGACYCOMPUTER1$ = no
+ server require schannel seal:NASBOX$ = no
+ server require schannel seal:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index e509cf85bb89..1dcc8061fa21 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "server schannel require seal", "True");
lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index c88d241bcf78..9bb5f4cf8cb3 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -668,6 +668,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
+ Globals.server_schannel_require_seal = true;
Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;
--
2.34.1

40
backport-0027-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,40 @@
From 19e5a1362ee5349fe1c1020b921b935c10594af5 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:16:51 +0100
Subject: [PATCH 27/54] CVE-2022-37966 lib/krb5_wrap: remove unused ifdef
HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c9b10ee32c7e91521d024477a28fb7a622e4eb04)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
lib/krb5_wrap/krb5_samba.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index 2873c3864107..a792445e2e0f 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3801,12 +3801,8 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
krb5_ccache ccdef = NULL;
krb5_auth_context auth_context = NULL;
krb5_enctype enc_types[] = {
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-#endif
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
ENCTYPE_ARCFOUR_HMAC,
ENCTYPE_DES_CBC_MD5,
ENCTYPE_DES_CBC_CRC,
--
2.34.1

305
backport-0027-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,305 @@
From a29e855c113c5af16ea9d108c1ee0f869d5f0f3e Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 2 Dec 2022 14:31:26 +0100
Subject: [PATCH 27/30] CVE-2022-38023 s4:rpc_server/netlogon: add a per
connection cache to dcesrv_netr_check_schannel()
It's enough to warn the admin once per connection.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 3c57608e1109c1d6e8bb8fbad2ef0b5d79d00e1a)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 193 ++++++++++++++----
1 file changed, 153 insertions(+), 40 deletions(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index a9b16e5c42a3..45dcec133fb3 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -877,23 +877,105 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate2(struct dcesrv_call_state *dce_ca
return dcesrv_netr_ServerAuthenticate3(dce_call, mem_ctx, &r3);
}
-static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
- const struct netlogon_creds_CredentialState *creds,
- enum dcerpc_AuthType auth_type,
- enum dcerpc_AuthLevel auth_level,
- uint16_t opnum)
+struct dcesrv_netr_check_schannel_state {
+ struct dom_sid account_sid;
+ enum dcerpc_AuthType auth_type;
+ enum dcerpc_AuthLevel auth_level;
+
+ bool schannel_global_required;
+ bool schannel_required;
+ bool schannel_explicitly_set;
+
+ NTSTATUS result;
+};
+
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
+ const struct netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ struct dcesrv_netr_check_schannel_state **_s)
{
struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
- TALLOC_CTX *frame = talloc_stackframe();
- NTSTATUS nt_status;
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
+ struct dcesrv_netr_check_schannel_state *s = NULL;
+ NTSTATUS status;
+
+ *_s = NULL;
+
+ s = dcesrv_iface_state_find_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ struct dcesrv_netr_check_schannel_state);
+ if (s != NULL) {
+ if (!dom_sid_equal(&s->account_sid, creds->sid)) {
+ goto new_state;
+ }
+ if (s->auth_type != auth_type) {
+ goto new_state;
+ }
+ if (s->auth_level != auth_level) {
+ goto new_state;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+ }
+
+new_state:
+ TALLOC_FREE(s);
+ s = talloc_zero(dce_call,
+ struct dcesrv_netr_check_schannel_state);
+ if (s == NULL) {
+ return NT_STATUS_NO_MEMORY;
+ }
+
+ s->account_sid = *creds->sid;
+ s->auth_type = auth_type;
+ s->auth_level = auth_level;
+ s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server require schannel",
+ creds->account_name);
+ if (explicit_opt != NULL) {
+ schannel_required = lp_bool(explicit_opt);
+ }
+
+ s->schannel_global_required = schannel_global_required;
+ s->schannel_required = schannel_required;
+ s->schannel_explicitly_set = explicit_opt != NULL;
+
+ status = dcesrv_iface_state_store_conn(dce_call,
+ DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+ s);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ *_s = s;
+ return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
+ struct dcesrv_netr_check_schannel_state *s,
+ const struct netlogon_creds_CredentialState *creds,
+ uint16_t opnum)
+{
+ struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ TALLOC_CTX *frame = talloc_stackframe();
unsigned int dbg_lvl = DBGLVL_DEBUG;
const char *opname = "<unknown>";
const char *reason = "<unknown>";
@@ -902,37 +984,43 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
opname = ndr_table_netlogon.calls[opnum].name;
}
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
reason = "WITH SEALED";
- } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ } else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
reason = "WITH SIGNED";
} else {
- smb_panic("Schannel without SIGN/SEAL");
+ reason = "WITH INVALID";
+ dbg_lvl = DBGLVL_ERR;
+ s->result = NT_STATUS_INTERNAL_ERROR;
}
} else {
reason = "WITHOUT";
}
- /*
- * We don't use lpcfg_parm_bool(), as we
- * need the explicit_opt pointer in order to
- * adjust the debug messages.
- */
- explicit_opt = lpcfg_get_parametric(lp_ctx,
- NULL,
- "server require schannel",
- creds->account_name);
- if (explicit_opt != NULL) {
- schannel_required = lp_bool(explicit_opt);
+ if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+ if (!NT_STATUS_IS_OK(s->result)) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ TALLOC_FREE(frame);
+ return s->result;
}
- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- nt_status = NT_STATUS_OK;
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ s->result = NT_STATUS_OK;
- if (explicit_opt != NULL && !schannel_required) {
+ if (s->schannel_explicitly_set && !s->schannel_required) {
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
- } else if (!schannel_required) {
+ } else if (!s->schannel_required) {
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
}
@@ -943,9 +1031,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
opname, opnum, reason,
log_escape(frame, creds->account_name),
log_escape(frame, creds->computer_name),
- nt_errstr(nt_status)));
-
- if (explicit_opt != NULL && !schannel_required) {
+ nt_errstr(s->result)));
+ if (s->schannel_explicitly_set && !s->schannel_required) {
DEBUG(CVE_2020_1472_warn_level, (
"CVE-2020-1472(ZeroLogon): "
"Option 'server require schannel:%s = no' not needed for '%s'!\n",
@@ -954,13 +1041,13 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
}
TALLOC_FREE(frame);
- return nt_status;
+ return s->result;
}
- if (schannel_required) {
- nt_status = NT_STATUS_ACCESS_DENIED;
+ if (s->schannel_required) {
+ s->result = NT_STATUS_ACCESS_DENIED;
- if (explicit_opt != NULL) {
+ if (s->schannel_explicitly_set) {
dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
} else {
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
@@ -973,8 +1060,8 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
opname, opnum, reason,
log_escape(frame, creds->account_name),
log_escape(frame, creds->computer_name),
- nt_errstr(nt_status)));
- if (explicit_opt != NULL) {
+ nt_errstr(s->result)));
+ if (s->schannel_explicitly_set) {
D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
"'server require schannel:%s = yes' "
"rejects access for client.\n",
@@ -987,12 +1074,12 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
log_escape(frame, creds->account_name)));
}
TALLOC_FREE(frame);
- return nt_status;
+ return s->result;
}
- nt_status = NT_STATUS_OK;
+ s->result = NT_STATUS_OK;
- if (explicit_opt != NULL) {
+ if (s->schannel_explicitly_set) {
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
} else {
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
@@ -1005,9 +1092,9 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
opname, opnum, reason,
log_escape(frame, creds->account_name),
log_escape(frame, creds->computer_name),
- nt_errstr(nt_status)));
+ nt_errstr(s->result)));
- if (explicit_opt != NULL) {
+ if (s->schannel_explicitly_set) {
D_INFO("CVE-2020-1472(ZeroLogon): Option "
"'server require schannel:%s = no' "
"still needed for '%s'!\n",
@@ -1030,6 +1117,32 @@ static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
}
TALLOC_FREE(frame);
+ return s->result;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel(struct dcesrv_call_state *dce_call,
+ const struct netlogon_creds_CredentialState *creds,
+ enum dcerpc_AuthType auth_type,
+ enum dcerpc_AuthLevel auth_level,
+ uint16_t opnum)
+{
+ struct dcesrv_netr_check_schannel_state *s = NULL;
+ NTSTATUS status;
+
+ status = dcesrv_netr_check_schannel_get_state(dce_call,
+ creds,
+ auth_type,
+ auth_level,
+ &s);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
+ status = dcesrv_netr_check_schannel_once(dce_call, s, creds, opnum);
+ if (!NT_STATUS_IS_OK(status)) {
+ return status;
+ }
+
return NT_STATUS_OK;
}
--
2.34.1

66
backport-0028-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,66 @@
From 0e08441ba09123539f13afc794a71852c8644393 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:18:02 +0100
Subject: [PATCH 28/54] CVE-2022-37966 s3:libads: remove unused ifdef
HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 2bd27955ce1000c13b468934eed8b0fdeb66e3bf)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/libads/kerberos.c | 4 ----
source3/libads/kerberos_keytab.c | 4 ----
2 files changed, 8 deletions(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index 3fd86e87064e..a4a5e040c175 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -622,20 +622,16 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
lp_kerberos_encryption_types() == KERBEROS_ETYPES_STRONG) {
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append(
aes_enctypes, "%s", "aes256-cts-hmac-sha1-96 ");
if (aes_enctypes == NULL) {
goto done;
}
-#endif
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
aes_enctypes = talloc_asprintf_append(
aes_enctypes, "%s", "aes128-cts-hmac-sha1-96");
if (aes_enctypes == NULL) {
goto done;
}
-#endif
}
if (lp_weak_crypto() == SAMBA_WEAK_CRYPTO_ALLOWED &&
diff --git a/source3/libads/kerberos_keytab.c b/source3/libads/kerberos_keytab.c
index b7e1846bd9ff..ae459bc30ca3 100644
--- a/source3/libads/kerberos_keytab.c
+++ b/source3/libads/kerberos_keytab.c
@@ -238,12 +238,8 @@ static int add_kt_entry_etypes(krb5_context context, TALLOC_CTX *tmpctx,
char *princ_s = NULL;
char *short_princ_s = NULL;
krb5_enctype enctypes[4] = {
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
-#endif
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
-#endif
ENCTYPE_ARCFOUR_HMAC,
0
};
--
2.34.1

443
backport-0028-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,443 @@
From a19b425cccd935c77cf15f3123ed2611fc30cea6 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 14:05:30 +0100
Subject: [PATCH 28/30] CVE-2022-38023 s4:rpc_server/netlogon: implement
"server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with
privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit b3ed90a0541a271a7c6d4bee1201fa47adc3c0c1)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
selftest/target/Samba4.pm | 28 ++
source4/rpc_server/netlogon/dcerpc_netlogon.c | 244 +++++++++++++++++-
2 files changed, 271 insertions(+), 1 deletion(-)
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 3328cf617225..5c83bcbd4038 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1646,9 +1646,23 @@ sub provision_ad_dc_ntvfs($$$)
server require schannel:schannel10\$ = no
server require schannel:schannel11\$ = no
server require schannel:torturetest\$ = no
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
# needed for 'samba.tests.auth_log' tests
server require schannel:LOCALDC\$ = no
+ server schannel require seal:LOCALDC\$ = no
";
push (@{$extra_provision_options}, "--use-ntvfs");
my $ret = $self->provision($prefix,
@@ -2050,6 +2064,19 @@ sub provision_ad_dc($$$$$$$)
server require schannel:schannel10\$ = no
server require schannel:schannel11\$ = no
server require schannel:torturetest\$ = no
+ server schannel require seal:schannel0\$ = no
+ server schannel require seal:schannel1\$ = no
+ server schannel require seal:schannel2\$ = no
+ server schannel require seal:schannel3\$ = no
+ server schannel require seal:schannel4\$ = no
+ server schannel require seal:schannel5\$ = no
+ server schannel require seal:schannel6\$ = no
+ server schannel require seal:schannel7\$ = no
+ server schannel require seal:schannel8\$ = no
+ server schannel require seal:schannel9\$ = no
+ server schannel require seal:schannel10\$ = no
+ server schannel require seal:schannel11\$ = no
+ server schannel require seal:torturetest\$ = no
auth event notification = true
dsdb event notification = true
@@ -2743,6 +2770,7 @@ sub setup_ad_dc_smb1
# needed for 'samba.tests.auth_log' tests
server require schannel:ADDCSMB1\$ = no
+ server schannel require seal:ADDCSMB1\$ = no
";
return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
}
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 45dcec133fb3..aa24a539abfd 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -68,9 +68,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
static bool warned_global_nt4_once = false;
static bool warned_global_md5_once = false;
static bool warned_global_schannel_once = false;
+ static bool warned_global_seal_once = false;
if (global_allow_nt4_crypto && !warned_global_nt4_once) {
/*
@@ -102,6 +104,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
warned_global_schannel_once = true;
}
+ if (!global_require_seal && !warned_global_seal_once) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ D_ERR("CVE-2022-38023 (and others): "
+ "Please configure 'server schannel require seal = yes' (the default), "
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+ warned_global_seal_once = true;
+ }
+
return dcesrv_interface_bind_reject_connect(context, iface);
}
@@ -886,6 +898,10 @@ struct dcesrv_netr_check_schannel_state {
bool schannel_required;
bool schannel_explicitly_set;
+ bool seal_global_required;
+ bool seal_required;
+ bool seal_explicitly_set;
+
NTSTATUS result;
};
@@ -900,6 +916,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
bool schannel_global_required = (schannel == true);
bool schannel_required = schannel_global_required;
const char *explicit_opt = NULL;
+ bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
+ bool require_seal = global_require_seal;
+ const char *explicit_seal_opt = NULL;
#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
struct dcesrv_netr_check_schannel_state *s = NULL;
NTSTATUS status;
@@ -937,6 +956,19 @@ new_state:
s->auth_level = auth_level;
s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ /*
+ * We don't use lpcfg_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+ explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
+ NULL,
+ "server schannel require seal",
+ creds->account_name);
+ if (explicit_seal_opt != NULL) {
+ require_seal = lp_bool(explicit_seal_opt);
+ }
+
/*
* We don't use lpcfg_parm_bool(), as we
* need the explicit_opt pointer in order to
@@ -954,6 +986,10 @@ new_state:
s->schannel_required = schannel_required;
s->schannel_explicitly_set = explicit_opt != NULL;
+ s->seal_global_required = global_require_seal;
+ s->seal_required = require_seal;
+ s->seal_explicitly_set = explicit_seal_opt != NULL;
+
status = dcesrv_iface_state_store_conn(dce_call,
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
s);
@@ -975,6 +1011,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+ int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
TALLOC_CTX *frame = talloc_stackframe();
unsigned int dbg_lvl = DBGLVL_DEBUG;
const char *opname = "<unknown>";
@@ -1004,18 +1044,107 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
}
DEBUG(dbg_lvl, (
- "CVE-2020-1472(ZeroLogon): "
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+ s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+ {
+ s->result = NT_STATUS_OK;
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
"%s request (opnum[%u]) %s schannel from "
"client_account[%s] client_computer_name[%s] %s\n",
opname, opnum, reason,
log_escape(frame, creds->account_name),
log_escape(frame, creds->computer_name),
nt_errstr(s->result)));
+
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ if (s->seal_explicitly_set && !s->seal_required) {
+ DEBUG(CVE_2022_38023_warn_level, (
+ "CVE-2022-38023: "
+ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
TALLOC_FREE(frame);
return s->result;
}
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (s->seal_required) {
+ s->result = NT_STATUS_ACCESS_DENIED;
+
+ if (s->seal_explicitly_set) {
+ dbg_lvl = DBGLVL_NOTICE;
+ } else {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "from client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ if (s->seal_explicitly_set) {
+ D_NOTICE("CVE-2022-38023: Option "
+ "'server schannel require seal:%s = yes' "
+ "rejects access for client.\n",
+ log_escape(frame, creds->account_name));
+ } else {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server schannel require seal:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
+ if (s->schannel_explicitly_set && !s->schannel_required) {
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = no' "
+ "not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
s->result = NT_STATUS_OK;
if (s->schannel_explicitly_set && !s->schannel_required) {
@@ -1023,6 +1152,11 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
} else if (!s->schannel_required) {
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
}
+ if (s->seal_explicitly_set && !s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ } else if (!s->seal_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
DEBUG(dbg_lvl, (
"CVE-2020-1472(ZeroLogon): "
@@ -1039,7 +1173,77 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
log_escape(frame, creds->account_name),
log_escape(frame, creds->computer_name)));
}
+ if (s->seal_explicitly_set && !s->seal_required) {
+ D_INFO("CVE-2022-38023: "
+ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ } else if (!s->seal_required) {
+ /*
+ * admins should set
+ * server schannel require seal:COMPUTER$ = no
+ * in order to avoid the level 0 messages.
+ * Over time they can switch the global value
+ * to be strict.
+ */
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: "
+ "Please use 'server schannel require seal:%s = no' "
+ "for '%s' to avoid this warning!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
+ TALLOC_FREE(frame);
+ return s->result;
+ }
+
+ if (s->seal_required) {
+ s->result = NT_STATUS_ACCESS_DENIED;
+
+ if (s->seal_explicitly_set) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+ } else {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
+ if (!s->schannel_explicitly_set) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ } else if (s->schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+ }
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "from client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(s->result)));
+ if (s->seal_explicitly_set) {
+ D_NOTICE("CVE-2022-38023: Option "
+ "'server schannel require seal:%s = yes' "
+ "rejects access for client.\n",
+ log_escape(frame, creds->account_name));
+ } else {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server schannel require seal:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
+ if (!s->schannel_explicitly_set) {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2020-1472(ZeroLogon): Check if option "
+ "'server require schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ } else if (s->schannel_required) {
+ D_NOTICE("CVE-2022-38023: Option "
+ "'server require schannel:%s = yes' "
+ "also rejects access for client.\n",
+ log_escape(frame, creds->account_name));
+ }
TALLOC_FREE(frame);
return s->result;
}
@@ -1052,6 +1256,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
} else {
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
}
+ if (!s->seal_explicitly_set) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
DEBUG(dbg_lvl, (
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
@@ -1073,12 +1280,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
"might be needed for a legacy client.\n",
log_escape(frame, creds->account_name)));
}
+ if (!s->seal_explicitly_set) {
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Check if option "
+ "'server schannel require seal:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
TALLOC_FREE(frame);
return s->result;
}
s->result = NT_STATUS_OK;
+ if (s->seal_explicitly_set) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ } else {
+ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+ }
+
if (s->schannel_explicitly_set) {
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
} else {
@@ -1094,6 +1314,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
log_escape(frame, creds->computer_name),
nt_errstr(s->result)));
+ if (s->seal_explicitly_set) {
+ D_INFO("CVE-2022-38023: Option "
+ "'server schannel require seal:%s = no' "
+ "still needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ } else {
+ /*
+ * admins should set
+ * server schannel require seal:COMPUTER$ = no
+ * in order to avoid the level 0 messages.
+ * Over time they can switch the global value
+ * to be strict.
+ */
+ DEBUG(CVE_2022_38023_error_level, (
+ "CVE-2022-38023: Please use "
+ "'server schannel require seal:%s = no' "
+ "for '%s' to avoid this warning!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
+ }
+
if (s->schannel_explicitly_set) {
D_INFO("CVE-2020-1472(ZeroLogon): Option "
"'server require schannel:%s = no' "
--
2.34.1

40
backport-0029-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,40 @@
From 7802d1ee31d29a32f2ebb858568b80ddbdbc2ff2 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:19:48 +0100
Subject: [PATCH 29/54] CVE-2022-37966 s3:libnet: remove unused ifdef
HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 1a36c348d7a984bed8d0f3de5bf9bebd1cb3c47a)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/libnet/libnet_join.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 4529615a41a2..4c20d956943b 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2535,12 +2535,8 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
ctx->in.desired_encryption_types = ENC_CRC32 |
ENC_RSA_MD5 |
ENC_RC4_HMAC_MD5;
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
-#endif
*r = ctx;
--
2.34.1

54
backport-0029-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,54 @@
From 8ec894c5b4ebe4438cd5b7582ac436ce464188bd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 15:13:47 +0100
Subject: [PATCH 29/30] CVE-2022-38023 testparm: warn about server/client
schannel != yes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit f964c0c357214637f80d0089723b9b11d1b38f7e)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source3/utils/testparm.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index e0455b9d7b6b..7e913a8ac4d3 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -598,11 +598,25 @@ static int do_global_checks(void)
ret = 1;
}
- if (!lp_server_schannel()) {
+ if (lp_server_schannel() != true) { /* can be 'auto' */
fprintf(stderr,
- "WARNING: You have configured 'server schannel = no'. "
+ "WARNING: You have not configured "
+ "'server schannel = yes' (the default). "
"Your server is vulernable to \"ZeroLogon\" "
- "(CVE-2020-1472)\n\n");
+ "(CVE-2020-1472)\n"
+ "If required use individual "
+ "'server require schannel:COMPUTERACCOUNT$ = no' "
+ "options\n\n");
+ }
+ if (lp_client_schannel() != true) { /* can be 'auto' */
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'client schannel = yes' (the default). "
+ "Your server is vulernable to \"ZeroLogon\" "
+ "(CVE-2020-1472)\n"
+ "If required use individual "
+ "'client schannel:NETBIOSDOMAIN = no' "
+ "options\n\n");
}
return ret;
--
2.34.1

40
backport-0030-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,40 @@
From 7d9ad993238f56156d3deec9dcb33a8661b64394 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:19:48 +0100
Subject: [PATCH 30/54] CVE-2022-37966 s3:net_ads: remove unused ifdef
HAVE_ENCTYPE_AES*
aes encryption types are always supported.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f3fe1f2ce64ed36be5b001fb4fea92428e73e4e3)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/utils/net_ads.c | 4 ----
1 file changed, 4 deletions(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 7859225a03b7..79246a7ec0be 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3688,12 +3688,8 @@ static int net_ads_enctypes_set(struct net_context *c, int argc, const char **ar
}
etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
-#ifdef HAVE_ENCTYPE_AES128_CTS_HMAC_SHA1_96
etype_list |= ENC_HMAC_SHA1_96_AES128;
-#endif
-#ifdef HAVE_ENCTYPE_AES256_CTS_HMAC_SHA1_96
etype_list |= ENC_HMAC_SHA1_96_AES256;
-#endif
if (argv[1] != NULL) {
sscanf(argv[1], "%i", &etype_list);
--
2.34.1

100
backport-0030-CVE-2022-38023.patch Normal file
View File

@ -0,0 +1,100 @@
From 6a9ac02107834bc102020dea77483f66d87fe422 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Dec 2022 13:36:17 +0100
Subject: [PATCH 30/30] CVE-2022-38023 testparm: warn about unsecure schannel
related options
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 61 insertions(+)
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
index 7e913a8ac4d3..121c2b7a5221 100644
--- a/source3/utils/testparm.c
+++ b/source3/utils/testparm.c
@@ -608,6 +608,37 @@ static int do_global_checks(void)
"'server require schannel:COMPUTERACCOUNT$ = no' "
"options\n\n");
}
+ if (lp_allow_nt4_crypto()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'allow nt4 crypto = no' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023 and others!\n"
+ "If required use individual "
+ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
+ "options\n\n");
+ }
+ if (!lp_reject_md5_clients()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'reject md5 clients = yes' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023!\n"
+ "If required use individual "
+ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
+ "options\n\n");
+ }
+ if (!lp_server_schannel_require_seal()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'server schannel require seal = yes' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023!\n"
+ "If required use individual "
+ "'server schannel require seal:COMPUTERACCOUNT$ = no' "
+ "options\n\n");
+ }
+
if (lp_client_schannel() != true) { /* can be 'auto' */
fprintf(stderr,
"WARNING: You have not configured "
@@ -618,6 +649,36 @@ static int do_global_checks(void)
"'client schannel:NETBIOSDOMAIN = no' "
"options\n\n");
}
+ if (!lp_reject_md5_servers()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'reject md5 servers = yes' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023\n"
+ "If required use individual "
+ "'reject md5 servers:NETBIOSDOMAIN = no' "
+ "options\n\n");
+ }
+ if (!lp_require_strong_key()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'require strong key = yes' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023\n"
+ "If required use individual "
+ "'require strong key:NETBIOSDOMAIN = no' "
+ "options\n\n");
+ }
+ if (!lp_winbind_sealed_pipes()) {
+ fprintf(stderr,
+ "WARNING: You have not configured "
+ "'winbind sealed pipes = yes' (the default). "
+ "Your server is vulernable to "
+ "CVE-2022-38023\n"
+ "If required use individual "
+ "'winbind sealed pipes:NETBIOSDOMAIN = no' "
+ "options\n\n");
+ }
return ret;
}
--
2.34.1

37
backport-0031-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,37 @@
From ec6543482c6cda246d8295ab9a62d00a35edba58 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:20:40 +0100
Subject: [PATCH 31/54] CVE-2022-37966 lib/krb5_wrap: no longer reference des
encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 16b805c8f376e0992a8bbb359d6bd8f0f96229db)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
lib/krb5_wrap/krb5_samba.c | 2 --
1 file changed, 2 deletions(-)
diff --git a/lib/krb5_wrap/krb5_samba.c b/lib/krb5_wrap/krb5_samba.c
index a792445e2e0f..81265cd4a731 100644
--- a/lib/krb5_wrap/krb5_samba.c
+++ b/lib/krb5_wrap/krb5_samba.c
@@ -3804,8 +3804,6 @@ int ads_krb5_cli_get_ticket(TALLOC_CTX *mem_ctx,
ENCTYPE_AES256_CTS_HMAC_SHA1_96,
ENCTYPE_AES128_CTS_HMAC_SHA1_96,
ENCTYPE_ARCFOUR_HMAC,
- ENCTYPE_DES_CBC_MD5,
- ENCTYPE_DES_CBC_CRC,
ENCTYPE_NULL};
bool ok;
--
2.34.1

37
backport-0032-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,37 @@
From 6bb95d749056ca23f2face32803f1cd42bf8bce1 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:20:40 +0100
Subject: [PATCH 32/54] CVE-2022-37966 s3:libads: no longer reference des
encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit a683507e560a499336c50b88abcd853d49618bf4)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/libads/kerberos.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/source3/libads/kerberos.c b/source3/libads/kerberos.c
index a4a5e040c175..d0b82af22b76 100644
--- a/source3/libads/kerberos.c
+++ b/source3/libads/kerberos.c
@@ -665,7 +665,7 @@ static char *get_enctypes(TALLOC_CTX *mem_ctx)
if (lp_kerberos_encryption_types() == KERBEROS_ETYPES_ALL ||
lp_kerberos_encryption_types() == KERBEROS_ETYPES_LEGACY) {
- legacy_enctypes = "arcfour-hmac-md5 des-cbc-crc des-cbc-md5";
+ legacy_enctypes = "arcfour-hmac-md5";
}
enctypes = talloc_asprintf(mem_ctx, "\tdefault_etypes = %s %s\n",
--
2.34.1

40
backport-0033-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,40 @@
From 2c0b460d550cd1d11b1e5318cc5e00051c427c2c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:20:40 +0100
Subject: [PATCH 33/54] CVE-2022-37966 s3:libnet: no longer reference des
encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 40b47c194d7c41fbc6515b6029d5afafb0911232)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/libnet/libnet_join.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/source3/libnet/libnet_join.c b/source3/libnet/libnet_join.c
index 4c20d956943b..d48833d6197a 100644
--- a/source3/libnet/libnet_join.c
+++ b/source3/libnet/libnet_join.c
@@ -2532,9 +2532,8 @@ WERROR libnet_init_JoinCtx(TALLOC_CTX *mem_ctx,
ctx->in.secure_channel_type = SEC_CHAN_WKSTA;
- ctx->in.desired_encryption_types = ENC_CRC32 |
- ENC_RSA_MD5 |
- ENC_RC4_HMAC_MD5;
+ ctx->in.desired_encryption_types = 0;
+ ctx->in.desired_encryption_types |= ENC_RC4_HMAC_MD5;
ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES128;
ctx->in.desired_encryption_types |= ENC_HMAC_SHA1_96_AES256;
--
2.34.1

38
backport-0034-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,38 @@
From 3bb0ab271bc536a826fc07db61e2cb4bb8edec28 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:20:40 +0100
Subject: [PATCH 34/54] CVE-2022-37966 s3:net_ads: no longer reference des
encryption types
We no longer have support for des encryption types in the kerberos
libraries anyway.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4cedaa643bf95ef2628f1b631feda833bb2e7da1)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/utils/net_ads.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 79246a7ec0be..7e1513a14ff7 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3687,7 +3687,8 @@ static int net_ads_enctypes_set(struct net_context *c, int argc, const char **ar
goto done;
}
- etype_list = ENC_CRC32 | ENC_RSA_MD5 | ENC_RC4_HMAC_MD5;
+ etype_list = 0;
+ etype_list |= ENC_RC4_HMAC_MD5;
etype_list |= ENC_HMAC_SHA1_96_AES128;
etype_list |= ENC_HMAC_SHA1_96_AES256;
--
2.34.1

38
backport-0035-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,38 @@
From 7a831d39b3360266006a32aaa33268dc6bb9a842 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 22 Nov 2022 09:48:45 +0100
Subject: [PATCH 35/54] CVE-2022-37966 s3:net_ads: let 'net ads enctypes list'
pretty print AES256-SK and RESOURCE-SID-COMPRESSION-DISABLED
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit b7260c89e0df18822fa276e681406ec4d3921caa)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source3/utils/net_ads.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/source3/utils/net_ads.c b/source3/utils/net_ads.c
index 7e1513a14ff7..09f7f0b4a394 100644
--- a/source3/utils/net_ads.c
+++ b/source3/utils/net_ads.c
@@ -3609,6 +3609,12 @@ static void net_ads_enctype_dump_enctypes(const char *username,
printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96\n",
enctypes & ENC_HMAC_SHA1_96_AES256 ? "X" : " ",
ENC_HMAC_SHA1_96_AES256);
+ printf("[%s] 0x%08x AES256-CTS-HMAC-SHA1-96-SK\n",
+ enctypes & ENC_HMAC_SHA1_96_AES256_SK ? "X" : " ",
+ ENC_HMAC_SHA1_96_AES256_SK);
+ printf("[%s] 0x%08x RESOURCE-SID-COMPRESSION-DISABLED\n",
+ enctypes & KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED ? "X" : " ",
+ KERB_ENCTYPE_RESOURCE_SID_COMPRESSION_DISABLED);
}
static int net_ads_enctypes_list(struct net_context *c, int argc, const char **argv)
--
2.34.1

33
backport-0036-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,33 @@
From bed79b5c8aefe3fcce96a7eba4ed2ba1f9a99a6b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 23 Nov 2022 15:27:14 +0100
Subject: [PATCH 36/54] CVE-2022-37966 s4:pydsdb: add
ENC_HMAC_SHA1_96_AES256_SK
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 621b8c3927b63776146940b183b03b3ea77fd2d7)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/dsdb/pydsdb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/source4/dsdb/pydsdb.c b/source4/dsdb/pydsdb.c
index 0f3a2bc62bd3..bcfc7e95478c 100644
--- a/source4/dsdb/pydsdb.c
+++ b/source4/dsdb/pydsdb.c
@@ -1631,6 +1631,7 @@ MODULE_INIT_FUNC(dsdb)
ADD_DSDB_FLAG(ENC_RC4_HMAC_MD5);
ADD_DSDB_FLAG(ENC_HMAC_SHA1_96_AES128);
ADD_DSDB_FLAG(ENC_HMAC_SHA1_96_AES256);
+ ADD_DSDB_FLAG(ENC_HMAC_SHA1_96_AES256_SK);
ADD_DSDB_FLAG(SEARCH_FLAG_ATTINDEX);
ADD_DSDB_FLAG(SEARCH_FLAG_PDNTATTINDEX);
--
2.34.1

58
backport-0037-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,58 @@
From 49e748498325044f2db6920ef9378907fd459741 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 7 Nov 2017 18:03:45 +0100
Subject: [PATCH 37/54] CVE-2022-37966 s4:kdc: use the strongest possible keys
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13135
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d7ea197ed1a9903f601030e6466cc822f9b8f794)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/kdc/kdc-heimdal.c | 23 ++++++++---------------
1 file changed, 8 insertions(+), 15 deletions(-)
diff --git a/source4/kdc/kdc-heimdal.c b/source4/kdc/kdc-heimdal.c
index 5b2b3e36652f..e936d4b7dccf 100644
--- a/source4/kdc/kdc-heimdal.c
+++ b/source4/kdc/kdc-heimdal.c
@@ -388,24 +388,17 @@ static void kdc_post_fork(struct task_server *task, struct process_details *pd)
kdc_config->num_db = 1;
/*
- * This restores the behavior before
- * commit 255e3e18e00f717d99f3bc57c8a8895ff624f3c3
- * s4:heimdal: import lorikeet-heimdal-201107150856
- * (commit 48936803fae4a2fb362c79365d31f420c917b85b)
+ * Note with the CVE-2022-37966 patches,
+ * see https://bugzilla.samba.org/show_bug.cgi?id=15219
+ * and https://bugzilla.samba.org/show_bug.cgi?id=15237
+ * we want to use the strongest keys for everything.
*
- * as_use_strongest_session_key,preauth_use_strongest_session_key
- * and tgs_use_strongest_session_key are input to the
- * _kdc_find_etype() function. The old bahavior is in
- * the use_strongest_session_key=FALSE code path.
- * (The only remaining difference in _kdc_find_etype()
- * is the is_preauth parameter.)
- *
- * The old behavior in the _kdc_get_preferred_key()
- * function is use_strongest_server_key=TRUE.
+ * Some of these don't have any real effect anymore,
+ * but it is better to have them as true...
*/
- kdc_config->tgt_use_strongest_session_key = false;
+ kdc_config->tgt_use_strongest_session_key = true;
kdc_config->preauth_use_strongest_session_key = true;
- kdc_config->svc_use_strongest_session_key = false;
+ kdc_config->svc_use_strongest_session_key = true;
kdc_config->use_strongest_server_key = true;
kdc_config->force_include_pa_etype_salt = true;
--
2.34.1

68
backport-0038-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,68 @@
From 1e428a47c896bad3d000dee829699fc0dcbe78a8 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 3 Feb 2022 16:27:15 +0100
Subject: [PATCH 38/54] CVE-2022-37966 drsuapi.idl: add trustedDomain related
ATTID values
For now this is only for debugging in order to see
DRSUAPI_ATTID_msDS_SupportedEncryptionTypes in the replication meta
data.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15219
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f1c5fa28c460f7e011049606b1b9ef96443e5e1f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
librpc/idl/drsuapi.idl | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/librpc/idl/drsuapi.idl b/librpc/idl/drsuapi.idl
index db00eb8639ea..59a795a74e37 100644
--- a/librpc/idl/drsuapi.idl
+++ b/librpc/idl/drsuapi.idl
@@ -512,7 +512,11 @@ interface drsuapi
DRSUAPI_ATTID_priorValue = 0x00090064,
DRSUAPI_ATTID_supplementalCredentials = 0x0009007d,
DRSUAPI_ATTID_trustAuthIncoming = 0x00090081,
+ DRSUAPI_ATTID_trustDirection = 0x00090084,
+ DRSUAPI_ATTID_trustPartner = 0x00090085,
+ DRSUAPI_ATTID_trustPosixOffset = 0x00090086,
DRSUAPI_ATTID_trustAuthOutgoing = 0x00090087,
+ DRSUAPI_ATTID_trustType = 0x00090088,
DRSUAPI_ATTID_userParameters = 0x0009008a,
DRSUAPI_ATTID_profilePath = 0x0009008b,
DRSUAPI_ATTID_operatorCount = 0x00090090,
@@ -532,6 +536,9 @@ interface drsuapi
DRSUAPI_ATTID_options = 0x00090133,
DRSUAPI_ATTID_fSMORoleOwner = 0x00090171,
DRSUAPI_ATTID_systemFlags = 0x00090177,
+ DRSUAPI_ATTID_trustAttributes = 0x000901d6,
+ DRSUAPI_ATTID_trustParent = 0x000901d7,
+ DRSUAPI_ATTID_flatName = 0x000901ff,
DRSUAPI_ATTID_serverReference = 0x00090203,
DRSUAPI_ATTID_serverReferenceBL = 0x00090204,
DRSUAPI_ATTID_nonSecurityMember = 0x00090212,
@@ -550,6 +557,7 @@ interface drsuapi
DRSUAPI_ATTID_transportAddressAttribute = 0x0009037f,
DRSUAPI_ATTID_schemaInfo = 0x0009054e,
DRSUAPI_ATTID_msDS_Behavior_Version = 0x000905b3,
+ DRSUAPI_ATTID_msDS_TrustForestTrustInfo = 0x000906a6,
DRSUAPI_ATTID_msDS_KeyVersionNumber = 0x000906f6,
DRSUAPI_ATTID_msDS_NonMembers = 0x00090701,
DRSUAPI_ATTID_msDS_MembersForAzRole = 0x0009070e,
@@ -557,6 +565,7 @@ interface drsuapi
DRSUAPI_ATTID_msDS_hasMasterNCs = 0x0009072c,
DRSUAPI_ATTID_msDS_NeverRevealGroup = 0x00090786,
DRSUAPI_ATTID_msDS_RevealOnDemandGroup = 0x00090788,
+ DRSUAPI_ATTID_msDS_SupportedEncryptionTypes = 0x000907ab,
DRSUAPI_ATTID_msDS_HostServiceAccount = 0x00090808,
DRSUAPI_ATTID_isRecycled = 0x0009080a,
--
2.34.1

57
backport-0039-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,57 @@
From b6100f293defa819581aa42638dc8173e816e584 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 15:42:27 +0100
Subject: [PATCH 39/54] CVE-2022-37966 s4:libnet: initialize
libnet_SetPassword() arguments explicitly to zero by default.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 9e69289b099b47e0352ef67ef7e6529d11688e9a)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/libnet/libnet_join.c | 4 ++--
source4/libnet/libnet_passwd.c | 2 ++
2 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/source4/libnet/libnet_join.c b/source4/libnet/libnet_join.c
index 825a81579ccf..d1afb4f22b94 100644
--- a/source4/libnet/libnet_join.c
+++ b/source4/libnet/libnet_join.c
@@ -487,8 +487,8 @@ NTSTATUS libnet_JoinDomain(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, stru
const char *password_str = NULL;
r->out.error_string = NULL;
- r2.samr_handle.out.error_string = NULL;
-
+ ZERO_STRUCT(r2);
+
tmp_ctx = talloc_named(mem_ctx, 0, "libnet_Join temp context");
if (!tmp_ctx) {
r->out.error_string = NULL;
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index b17614bcd97b..c5e15802bd2b 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -942,6 +942,7 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX *
goto disconnect;
}
+ ZERO_STRUCT(r2);
r2.samr_handle.level = LIBNET_SET_PASSWORD_SAMR_HANDLE;
r2.samr_handle.in.account_name = r->samr.in.account_name;
r2.samr_handle.in.newpassword = r->samr.in.newpassword;
@@ -965,6 +966,7 @@ static NTSTATUS libnet_SetPassword_generic(struct libnet_context *ctx, TALLOC_CT
NTSTATUS status;
union libnet_SetPassword r2;
+ ZERO_STRUCT(r2);
r2.samr.level = LIBNET_SET_PASSWORD_SAMR;
r2.samr.in.account_name = r->generic.in.account_name;
r2.samr.in.domain_name = r->generic.in.domain_name;
--
2.34.1

191
backport-0040-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,191 @@
From 1ac872983e6e1c7bc3652ce07f523de334c16280 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Mar 2022 14:09:50 +0100
Subject: [PATCH 40/54] CVE-2022-37966 s4:libnet: add support
LIBNET_SET_PASSWORD_SAMR_HANDLE_18 to set nthash only
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 271cd82cd681d723572fcaeed24052dc98a83612)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/libnet/libnet_passwd.c | 73 ++++++++++++++++++++++++++++++++++
source4/libnet/libnet_passwd.h | 7 ++++
2 files changed, 80 insertions(+)
diff --git a/source4/libnet/libnet_passwd.c b/source4/libnet/libnet_passwd.c
index c5e15802bd2b..8fc4715a2091 100644
--- a/source4/libnet/libnet_passwd.c
+++ b/source4/libnet/libnet_passwd.c
@@ -752,6 +752,66 @@ out:
return status;
}
+static NTSTATUS libnet_SetPassword_samr_handle_18(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, union libnet_SetPassword *r)
+{
+ NTSTATUS status;
+ struct samr_SetUserInfo2 sui;
+ union samr_UserInfo u_info;
+ struct samr_Password ntpwd;
+ DATA_BLOB ntpwd_in;
+ DATA_BLOB ntpwd_out;
+ DATA_BLOB session_key;
+ int rc;
+
+ if (r->samr_handle.in.info21) {
+ return NT_STATUS_INVALID_PARAMETER_MIX;
+ }
+
+ /* prepare samr_SetUserInfo2 level 18 (nt_hash) */
+ ZERO_STRUCT(u_info);
+ E_md4hash(r->samr_handle.in.newpassword, ntpwd.hash);
+ ntpwd_in = data_blob_const(ntpwd.hash, sizeof(ntpwd.hash));
+ ntpwd_out = data_blob_const(u_info.info18.nt_pwd.hash,
+ sizeof(u_info.info18.nt_pwd.hash));
+ u_info.info18.nt_pwd_active = 1;
+ u_info.info18.password_expired = 0;
+
+ status = dcerpc_fetch_session_key(r->samr_handle.in.dcerpc_pipe, &session_key);
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string = talloc_asprintf(mem_ctx,
+ "dcerpc_fetch_session_key failed: %s",
+ nt_errstr(status));
+ return status;
+ }
+
+ rc = sess_crypt_blob(&ntpwd_out, &ntpwd_in,
+ &session_key, SAMBA_GNUTLS_ENCRYPT);
+ if (rc < 0) {
+ status = gnutls_error_to_ntstatus(rc, NT_STATUS_CRYPTO_SYSTEM_INVALID);
+ goto out;
+ }
+
+ sui.in.user_handle = r->samr_handle.in.user_handle;
+ sui.in.info = &u_info;
+ sui.in.level = 18;
+
+ /* 9. try samr_SetUserInfo2 level 18 to set the password */
+ status = dcerpc_samr_SetUserInfo2_r(r->samr_handle.in.dcerpc_pipe->binding_handle, mem_ctx, &sui);
+ if (NT_STATUS_IS_OK(status) && !NT_STATUS_IS_OK(sui.out.result)) {
+ status = sui.out.result;
+ }
+ if (!NT_STATUS_IS_OK(status)) {
+ r->samr_handle.out.error_string
+ = talloc_asprintf(mem_ctx,
+ "SetUserInfo2 level 18 for [%s] failed: %s",
+ r->samr_handle.in.account_name, nt_errstr(status));
+ }
+
+out:
+ data_blob_clear(&session_key);
+ return status;
+}
+
/*
* 1. try samr_SetUserInfo2 level 26 to set the password
* 2. try samr_SetUserInfo2 level 25 to set the password
@@ -770,6 +830,11 @@ static NTSTATUS libnet_SetPassword_samr_handle(struct libnet_context *ctx, TALLO
};
unsigned int i;
+ if (r->samr_handle.samr_level != 0) {
+ r->generic.level = r->samr_handle.samr_level;
+ return libnet_SetPassword(ctx, mem_ctx, r);
+ }
+
for (i=0; i < ARRAY_SIZE(levels); i++) {
r->generic.level = levels[i];
status = libnet_SetPassword(ctx, mem_ctx, r);
@@ -944,6 +1009,7 @@ static NTSTATUS libnet_SetPassword_samr(struct libnet_context *ctx, TALLOC_CTX *
ZERO_STRUCT(r2);
r2.samr_handle.level = LIBNET_SET_PASSWORD_SAMR_HANDLE;
+ r2.samr_handle.samr_level = r->samr.samr_level;
r2.samr_handle.in.account_name = r->samr.in.account_name;
r2.samr_handle.in.newpassword = r->samr.in.newpassword;
r2.samr_handle.in.user_handle = &u_handle;
@@ -968,6 +1034,7 @@ static NTSTATUS libnet_SetPassword_generic(struct libnet_context *ctx, TALLOC_CT
ZERO_STRUCT(r2);
r2.samr.level = LIBNET_SET_PASSWORD_SAMR;
+ r2.samr.samr_level = r->generic.samr_level;
r2.samr.in.account_name = r->generic.in.account_name;
r2.samr.in.domain_name = r->generic.in.domain_name;
r2.samr.in.newpassword = r->generic.in.newpassword;
@@ -1020,6 +1087,12 @@ NTSTATUS libnet_SetPassword(struct libnet_context *ctx, TALLOC_CTX *mem_ctx, uni
}
status = libnet_SetPassword_samr_handle_23(ctx, mem_ctx, r);
break;
+ case LIBNET_SET_PASSWORD_SAMR_HANDLE_18:
+ if (encryption_state == SMB_ENCRYPTION_REQUIRED) {
+ GNUTLS_FIPS140_SET_LAX_MODE();
+ }
+ status = libnet_SetPassword_samr_handle_18(ctx, mem_ctx, r);
+ break;
case LIBNET_SET_PASSWORD_KRB5:
status = NT_STATUS_NOT_IMPLEMENTED;
break;
diff --git a/source4/libnet/libnet_passwd.h b/source4/libnet/libnet_passwd.h
index f9fb5dad7560..17e6aab4fca7 100644
--- a/source4/libnet/libnet_passwd.h
+++ b/source4/libnet/libnet_passwd.h
@@ -76,6 +76,7 @@ enum libnet_SetPassword_level {
LIBNET_SET_PASSWORD_SAMR_HANDLE_25,
LIBNET_SET_PASSWORD_SAMR_HANDLE_24,
LIBNET_SET_PASSWORD_SAMR_HANDLE_23,
+ LIBNET_SET_PASSWORD_SAMR_HANDLE_18,
LIBNET_SET_PASSWORD_KRB5,
LIBNET_SET_PASSWORD_LDAP,
LIBNET_SET_PASSWORD_RAP
@@ -84,6 +85,7 @@ enum libnet_SetPassword_level {
union libnet_SetPassword {
struct {
enum libnet_SetPassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_in {
const char *account_name;
@@ -98,6 +100,7 @@ union libnet_SetPassword {
struct {
enum libnet_SetPassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_samr_handle_in {
const char *account_name; /* for debug only */
struct policy_handle *user_handle;
@@ -113,24 +116,28 @@ union libnet_SetPassword {
struct {
enum libnet_SetPassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_in in;
struct _libnet_SetPassword_out out;
} samr;
struct {
enum libnet_SetPassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_in in;
struct _libnet_SetPassword_out out;
} krb5;
struct {
enum libnet_SetPassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_in in;
struct _libnet_SetPassword_out out;
} ldap;
struct {
enum libnet_ChangePassword_level level;
+ enum libnet_SetPassword_level samr_level;
struct _libnet_SetPassword_in in;
struct _libnet_SetPassword_out out;
} rap;
--
2.34.1

61
backport-0041-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,61 @@
From b0d99036cc44884e9d5ae1caf2076f00c94b7f79 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 15:45:56 +0100
Subject: [PATCH 41/54] CVE-2022-37966 s4:libnet: allow python bindings to
force setting an nthash via SAMR level 18
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 4ebbe7e40754eeb1c8f221dd59018c3e681ab2ab)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/libnet/py_net.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
diff --git a/source4/libnet/py_net.c b/source4/libnet/py_net.c
index df9280d8c18d..fe5979e7a57a 100644
--- a/source4/libnet/py_net.c
+++ b/source4/libnet/py_net.c
@@ -244,20 +244,32 @@ static PyObject *py_net_set_password(py_net_Object *self, PyObject *args, PyObje
NTSTATUS status;
TALLOC_CTX *mem_ctx;
struct tevent_context *ev;
- const char *kwnames[] = { "account_name", "domain_name", "newpassword", NULL };
+ const char *kwnames[] = { "account_name", "domain_name", "newpassword", "force_samr_18", NULL };
+ PyObject *py_force_samr_18 = Py_False;
ZERO_STRUCT(r);
r.generic.level = LIBNET_SET_PASSWORD_GENERIC;
- if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sss:set_password",
+ if (!PyArg_ParseTupleAndKeywords(args, kwargs, "sss|O:set_password",
discard_const_p(char *, kwnames),
&r.generic.in.account_name,
&r.generic.in.domain_name,
- &r.generic.in.newpassword)) {
+ &r.generic.in.newpassword,
+ &py_force_samr_18)) {
return NULL;
}
+ if (py_force_samr_18) {
+ if (!PyBool_Check(py_force_samr_18)) {
+ PyErr_SetString(PyExc_TypeError, "Expected boolean force_samr_18");
+ return NULL;
+ }
+ if (py_force_samr_18 == Py_True) {
+ r.generic.samr_level = LIBNET_SET_PASSWORD_SAMR_HANDLE_18;
+ }
+ }
+
/* FIXME: we really need to get a context from the caller or we may end
* up with 2 event contexts */
ev = s4_event_context_init(NULL);
--
2.34.1

188
backport-0042-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,188 @@
From 7a22f4b56cb75473e63673bd975f6b852c15bc03 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 09:48:09 +0100
Subject: [PATCH 42/54] CVE-2022-37966 python:tests/krb5: fix some tests
running against Windows 2022
I'm using the following options:
SERVER=172.31.9.218 DC_SERVER=w2022-118.w2022-l7.base \
SMB_CONF_PATH=/dev/null STRICT_CHECKING=1 \
DOMAIN=W2022-L7 REALM=W2022-L7.BASE \
ADMIN_USERNAME=Administrator ADMIN_PASSWORD=A1b2C3d4 \
CLIENT_USERNAME=Administrator CLIENT_PASSWORD=A1b2C3d4 CLIENT_AS_SUPPORTED_ENCTYPES=28 CLIENT_KVNO=2 \
FULL_SIG_SUPPORT=1 TKT_SIG_SUPPORT=1 FORCED_RC4=1
in order to run these:
python/samba/tests/krb5/as_req_tests.py -v --failfast AsReqKerberosTests
python/samba/tests/krb5/etype_tests.py -v --failfast EtypeTests
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit e0f89b7bc8025db615dccf096aab4ca87e655368)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/as_req_tests.py | 19 +++++++++++++++----
python/samba/tests/krb5/kdc_base_test.py | 9 +++++++++
python/samba/tests/krb5/raw_testcase.py | 18 +++++++++++++++---
3 files changed, 39 insertions(+), 7 deletions(-)
diff --git a/python/samba/tests/krb5/as_req_tests.py b/python/samba/tests/krb5/as_req_tests.py
index 6b3b5ad4a226..22e5e373c51b 100755
--- a/python/samba/tests/krb5/as_req_tests.py
+++ b/python/samba/tests/krb5/as_req_tests.py
@@ -47,6 +47,7 @@ class AsReqBaseTest(KDCBaseTest):
expected_cname=None, sname=None,
name_type=NT_PRINCIPAL, etypes=None,
expected_error=None, expect_edata=None,
+ expected_pa_error=None, expect_pa_edata=None,
kdc_options=None, till=None):
user_name = client_creds.get_username()
if client_account is None:
@@ -125,6 +126,8 @@ class AsReqBaseTest(KDCBaseTest):
preauth_padata = [pa_ts]
preauth_error_mode = 0 # AS-REP
+ if expected_pa_error is not None:
+ preauth_error_mode = expected_pa_error
krbtgt_decryption_key = (
self.TicketDecryptionKey_from_creds(krbtgt_creds))
@@ -146,6 +149,7 @@ class AsReqBaseTest(KDCBaseTest):
kdc_options,
expected_supported_etypes=krbtgt_supported_etypes,
expected_account_name=user_name,
+ expect_edata=expect_pa_edata,
preauth_key=preauth_key,
ticket_decryption_key=krbtgt_decryption_key,
pac_request=True)
@@ -512,10 +516,17 @@ class AsReqKerberosTests(AsReqBaseTest):
name_type=NT_SRV_INST,
names=[krbtgt_account, realm])
- self._run_as_req_enc_timestamp(
- client_creds,
- sname=wrong_krbtgt_princ,
- expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
+ if self.strict_checking:
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ sname=wrong_krbtgt_princ,
+ expected_pa_error=KDC_ERR_S_PRINCIPAL_UNKNOWN,
+ expect_pa_edata=False)
+ else:
+ self._run_as_req_enc_timestamp(
+ client_creds,
+ sname=wrong_krbtgt_princ,
+ expected_error=KDC_ERR_S_PRINCIPAL_UNKNOWN)
# Test that we can make a request for a ticket expiring post-2038.
def test_future_till(self):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index e92049a2ecda..beefd1654494 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -53,6 +53,11 @@ from samba.dsdb import (
UF_SERVER_TRUST_ACCOUNT,
UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
)
+from samba.dcerpc.misc import (
+ SEC_CHAN_NULL,
+ SEC_CHAN_WKSTA,
+ SEC_CHAN_BDC,
+)
from samba.join import DCJoinContext
from samba.ndr import ndr_pack, ndr_unpack
from samba import net
@@ -292,6 +297,7 @@ class KDCBaseTest(RawKerberosTest):
# run failed
delete_force(samdb, dn)
account_name = name
+ secure_schannel_type = SEC_CHAN_NULL
if account_type is self.AccountType.USER:
object_class = "user"
account_control |= UF_NORMAL_ACCOUNT
@@ -301,8 +307,10 @@ class KDCBaseTest(RawKerberosTest):
account_name += '$'
if account_type is self.AccountType.COMPUTER:
account_control |= UF_WORKSTATION_TRUST_ACCOUNT
+ secure_schannel_type = SEC_CHAN_WKSTA
elif account_type is self.AccountType.SERVER:
account_control |= UF_SERVER_TRUST_ACCOUNT
+ secure_schannel_type = SEC_CHAN_BDC
else:
self.fail()
@@ -343,6 +351,7 @@ class KDCBaseTest(RawKerberosTest):
creds.set_workstation('')
else:
creds.set_workstation(name)
+ creds.set_secure_channel_type(secure_schannel_type)
creds.set_dn(ldb.Dn(samdb, dn))
creds.set_upn(upn)
creds.set_spn(spn)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index f13ada7bbf83..d601c7bb5018 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -41,6 +41,10 @@ from samba.credentials import Credentials
from samba.dcerpc import krb5pac, security
from samba.gensec import FEATURE_SEAL
from samba.ndr import ndr_pack, ndr_unpack
+from samba.dcerpc.misc import (
+ SEC_CHAN_WKSTA,
+ SEC_CHAN_BDC,
+)
import samba.tests
from samba.tests import TestCaseInTempDir
@@ -484,7 +488,8 @@ class KerberosCredentials(Credentials):
else:
salt_name = self.get_username()
- if self.get_workstation():
+ secure_schannel_type = self.get_secure_channel_type()
+ if secure_schannel_type in [SEC_CHAN_WKSTA,SEC_CHAN_BDC]:
salt_name = self.get_username().lower()
if salt_name[-1] == '$':
salt_name = salt_name[:-1]
@@ -2934,7 +2939,7 @@ class RawKerberosTest(TestCaseInTempDir):
else:
self.assertElementMissing(ticket_private, 'renew-till')
if self.strict_checking:
- self.assertElementEqual(ticket_private, 'caddr', [])
+ self.assertElementMissing(ticket_private, 'caddr')
if expect_pac is not None:
if expect_pac:
self.assertElementPresent(ticket_private,
@@ -2988,7 +2993,7 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertElementEqualPrincipal(encpart_private, 'sname',
expected_sname)
if self.strict_checking:
- self.assertElementEqual(encpart_private, 'caddr', [])
+ self.assertElementMissing(encpart_private, 'caddr')
sent_pac_options = self.get_sent_pac_options(kdc_exchange_dict)
@@ -3441,6 +3446,13 @@ class RawKerberosTest(TestCaseInTempDir):
kcrypto.Enctype.AES128}:
expected_patypes += (PADATA_ETYPE_INFO2,)
+ preauth_key = kdc_exchange_dict['preauth_key']
+ if preauth_key.etype == kcrypto.Enctype.RC4 and rep_padata is None:
+ rep_padata = ()
+ elif rep_msg_type == KRB_TGS_REP:
+ if expected_patypes == () and rep_padata is None:
+ rep_padata = ()
+
if not self.strict_checking and rep_padata is None:
rep_padata = ()
--
2.34.1

71
backport-0043-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,71 @@
From 624731517772ace3051d922c58f8a222ce263e06 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 14:15:40 +0100
Subject: [PATCH 43/54] CVE-2022-37966 python:tests/krb5: allow
ticket/supported_etypes to be passed KdcTgsBaseTests._{as,tgs}_req()
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit d8fd6a22b67a2b3ae03a2e428cc4987f07af6e29)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/kdc_tgs_tests.py | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/python/samba/tests/krb5/kdc_tgs_tests.py b/python/samba/tests/krb5/kdc_tgs_tests.py
index 1607818de1df..40001479f960 100755
--- a/python/samba/tests/krb5/kdc_tgs_tests.py
+++ b/python/samba/tests/krb5/kdc_tgs_tests.py
@@ -66,7 +66,8 @@ class KdcTgsBaseTests(KDCBaseTest):
creds,
expected_error,
target_creds,
- etype):
+ etype,
+ expected_ticket_etype=None):
user_name = creds.get_username()
cname = self.PrincipalName_create(name_type=NT_PRINCIPAL,
names=user_name.split('/'))
@@ -87,7 +88,8 @@ class KdcTgsBaseTests(KDCBaseTest):
till = self.get_KerberosTime(offset=36000)
ticket_decryption_key = (
- self.TicketDecryptionKey_from_creds(target_creds))
+ self.TicketDecryptionKey_from_creds(target_creds,
+ etype=expected_ticket_etype))
expected_etypes = target_creds.tgs_supported_enctypes
kdc_options = ('forwardable,'
@@ -179,6 +181,8 @@ class KdcTgsBaseTests(KDCBaseTest):
use_fast=False,
expect_claims=True,
etypes=None,
+ expected_ticket_etype=None,
+ expected_supported_etypes=None,
expect_pac=True,
expect_pac_attrs=None,
expect_pac_attrs_pac_request=None,
@@ -218,7 +222,7 @@ class KdcTgsBaseTests(KDCBaseTest):
else:
additional_tickets = None
decryption_key = self.TicketDecryptionKey_from_creds(
- target_creds)
+ target_creds, etype=expected_ticket_etype)
subkey = self.RandomKey(tgt.session_key.etype)
@@ -278,6 +282,7 @@ class KdcTgsBaseTests(KDCBaseTest):
pac_options=pac_options,
authenticator_subkey=subkey,
kdc_options=kdc_options,
+ expected_supported_etypes=expected_supported_etypes,
expect_edata=expect_edata,
expect_pac=expect_pac,
expect_pac_attrs=expect_pac_attrs,
--
2.34.1

34
backport-0044-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,34 @@
From 3cd0542db2b5baefe8877fcb9bab8fa74978322c Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 20:27:14 +0100
Subject: [PATCH 44/54] CVE-2022-37966 python:tests/krb5: ignore empty
supplementalCredentials attributes
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit f434a30ee7c40aac4a223fcabac9ddd160a155a5)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/kdc_base_test.py | 2 ++
1 file changed, 2 insertions(+)
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index beefd1654494..3ed81fb19d20 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -594,6 +594,8 @@ class KDCBaseTest(RawKerberosTest):
for attr in attributes:
if attr.attid == drsuapi.DRSUAPI_ATTID_supplementalCredentials:
net_ctx.replicate_decrypt(bind, attr, rid)
+ if attr.value_ctr.num_values == 0:
+ continue
attr_val = attr.value_ctr.values[0].blob
spl = ndr_unpack(drsblobs.supplementalCredentialsBlob,
--
2.34.1

110
backport-0045-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,110 @@
From 28526dc04984b8ba59a1235180f82cdc0cf78557 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 16:42:58 +0100
Subject: [PATCH 45/54] CVE-2022-37966 python:tests/krb5: add 'force_nt4_hash'
for account creation of KDCBaseTest
This will allow us to create tests accounts with only an nt4 hash
stored, without any aes keys.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 77bd3258f1db0ddf4639a83a81a1aad3ee52c87d)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/kdc_base_test.py | 38 ++++++++++++++++++++----
1 file changed, 32 insertions(+), 6 deletions(-)
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 3ed81fb19d20..1016d056eefb 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -276,7 +276,7 @@ class KDCBaseTest(RawKerberosTest):
def create_account(self, samdb, name, account_type=AccountType.USER,
spn=None, upn=None, additional_details=None,
ou=None, account_control=0, add_dollar=True,
- expired_password=False):
+ expired_password=False, force_nt4_hash=False):
'''Create an account for testing.
The dn of the created account is added to self.accounts,
which is used by tearDownClass to clean up the created accounts.
@@ -341,6 +341,26 @@ class KDCBaseTest(RawKerberosTest):
self.accounts.append(dn)
samdb.add(details)
+ expected_kvno = 1
+
+ if force_nt4_hash:
+ admin_creds = self.get_admin_creds()
+ lp = self.get_lp()
+ net_ctx = net.Net(admin_creds, lp, server=self.dc_host)
+ domain = samdb.domain_netbios_name().upper()
+
+ password = generate_random_password(32, 32)
+ utf16pw = ('"%s"' % password).encode('utf-16-le')
+
+ try:
+ net_ctx.set_password(newpassword=password,
+ account_name=account_name,
+ domain_name=domain,
+ force_samr_18=True)
+ expected_kvno += 1
+ except Exception as e:
+ self.fail(e)
+
creds = KerberosCredentials()
creds.guess(self.get_lp())
creds.set_realm(samdb.domain_dns_name().upper())
@@ -363,8 +383,8 @@ class KDCBaseTest(RawKerberosTest):
attrs=['msDS-KeyVersionNumber'])
kvno = res[0].get('msDS-KeyVersionNumber', idx=0)
if kvno is not None:
- self.assertEqual(int(kvno), 1)
- creds.set_kvno(1)
+ self.assertEqual(int(kvno), expected_kvno)
+ creds.set_kvno(expected_kvno)
return (creds, dn)
@@ -772,7 +792,8 @@ class KDCBaseTest(RawKerberosTest):
'member_of': None,
'kerberos_enabled': True,
'secure_channel_type': None,
- 'id': None
+ 'id': None,
+ 'force_nt4_hash': False,
}
account_opts = {
@@ -819,7 +840,8 @@ class KDCBaseTest(RawKerberosTest):
member_of,
kerberos_enabled,
secure_channel_type,
- id):
+ id,
+ force_nt4_hash):
if account_type is self.AccountType.USER:
self.assertIsNone(spn)
self.assertIsNone(delegation_to_spn)
@@ -876,9 +898,13 @@ class KDCBaseTest(RawKerberosTest):
additional_details=details,
account_control=user_account_control,
add_dollar=add_dollar,
+ force_nt4_hash=force_nt4_hash,
expired_password=expired_password)
- keys = self.get_keys(samdb, dn)
+ expected_etypes = None
+ if force_nt4_hash:
+ expected_etypes = {kcrypto.Enctype.RC4}
+ keys = self.get_keys(samdb, dn, expected_etypes=expected_etypes)
self.creds_set_keys(creds, keys)
# Handle secret replication to the RODC.
--
2.34.1

36
backport-0046-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,36 @@
From e36aea06e1f00934ae13215517337732d4b65629 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 20:59:52 +0100
Subject: [PATCH 46/54] CVE-2022-37966 python:tests/krb5: add better
PADATA_SUPPORTED_ETYPES assert message
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit c7c576208960e336da276e251ad7a526e1b3ed45)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/raw_testcase.py | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/python/samba/tests/krb5/raw_testcase.py b/python/samba/tests/krb5/raw_testcase.py
index d601c7bb5018..ac2ace44c992 100644
--- a/python/samba/tests/krb5/raw_testcase.py
+++ b/python/samba/tests/krb5/raw_testcase.py
@@ -3039,8 +3039,8 @@ class RawKerberosTest(TestCaseInTempDir):
self.assertEqual(
supported_etypes & ~ignore_bits,
expected_supported_etypes & ~ignore_bits,
- f'got: {supported_etypes}, '
- f'expected: {expected_supported_etypes}')
+ f'PADATA_SUPPORTED_ETYPES: got: {supported_etypes} (0x{supported_etypes:X}), '
+ f'expected: {expected_supported_etypes} (0x{expected_supported_etypes:X})')
if PADATA_PAC_OPTIONS in enc_pa_dict:
pac_options = self.der_decode(
--
2.34.1

4677
backport-0047-CVE-2022-37966.patch Normal file
View File

File diff suppressed because it is too large Load Diff

4048
backport-0048-CVE-2022-37966.patch Normal file
View File

File diff suppressed because it is too large Load Diff

51
backport-0049-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,51 @@
From 4a2b0b69bf8e786703a8f4a648ba00392de5eccd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 09:02:41 +0100
Subject: [PATCH 49/54] CVE-2022-37966 param: don't explicitly initialize "kdc
force enable rc4 weak session keys" to false/"no"
This is not squashed in order to allow easier backports...
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 7504a4d6fee7805aac7657b9dab88c48353d6db4)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
lib/param/loadparm.c | 4 ----
source3/param/loadparm.c | 1 -
2 files changed, 5 deletions(-)
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index a858c31dbba4..1cb25f843b3b 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3091,10 +3091,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"kdc default domain supported enctypes",
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
- lpcfg_do_global_parameter(lp_ctx,
- "kdc force enable rc4 weak session keys",
- "no");
-
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index dc1a830cdbe1..fb15b20e1876 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -997,7 +997,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.kdc_default_domain_supported_enctypes =
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
- Globals.kdc_force_enable_rc4_weak_session_keys = false;
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
--
2.34.1

123
backport-0050-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,123 @@
From ca15d88d6e6907b164b2e9d4fb78c283b82c843d Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 09:05:51 +0100
Subject: [PATCH 50/54] CVE-2022-37966 param: let "kdc default domain
supportedenctypes = 0" mean the default
In order to allow better upgrades we need the default value for smb.conf to the
same even if the effective default value of the software changes in future.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit fa64f8fa8d92167ed15d1109af65bbb4daab4bad)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../security/kdcdefaultdomainsupportedenctypes.xml | 2 +-
lib/param/loadparm.c | 4 ----
python/samba/tests/krb5/etype_tests.py | 2 ++
python/samba/tests/krb5/kdc_base_test.py | 6 +++++-
source3/param/loadparm.c | 3 ---
source4/kdc/db-glue.c | 6 +++++-
6 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
index e93650ac3e07..984611167b59 100644
--- a/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
+++ b/docs-xml/smbdotconf/security/kdcdefaultdomainsupportedenctypes.xml
@@ -38,5 +38,5 @@
</description>
-<value type="default">36<comment>equivalent to: rc4-hmac aes256-cts-hmac-sha1-96-sk</comment></value>
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes256-cts-hmac-sha1-96-sk</comment></value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 1cb25f843b3b..8387242c25f5 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -3087,10 +3087,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
"rpc start on demand helpers",
"yes");
- lpcfg_do_global_parameter(lp_ctx,
- "kdc default domain supported enctypes",
- "rc4-hmac aes256-cts-hmac-sha1-96-sk");
-
for (i = 0; parm_table[i].label; i++) {
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
lp_ctx->flags[i] |= FLAG_DEFAULT;
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
index 1a16518df94e..9725d544c2ac 100755
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -63,6 +63,8 @@ class EtypeTests(KdcTgsBaseTests):
lp = self.get_lp()
self.default_supported_enctypes = lp.get(
'kdc default domain supported enctypes')
+ if self.default_supported_enctypes == 0:
+ self.default_supported_enctypes = rc4_bit | aes256_sk_bit
def _server_creds(self, supported=None, force_nt4_hash=False,
account_type=None):
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 1016d056eefb..46271a90bcf4 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -63,6 +63,9 @@ from samba.ndr import ndr_pack, ndr_unpack
from samba import net
from samba.samdb import SamDB, dsdb_Dn
+rc4_bit = security.KERB_ENCTYPE_RC4_HMAC_MD5
+aes256_sk_bit = security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK
+
from samba.tests import delete_force
import samba.tests.krb5.kcrypto as kcrypto
from samba.tests.krb5.raw_testcase import (
@@ -664,7 +667,8 @@ class KDCBaseTest(RawKerberosTest):
if supported_enctypes is None:
lp = self.get_lp()
supported_enctypes = lp.get('kdc default domain supported enctypes')
-
+ if supported_enctypes == 0:
+ supported_enctypes = rc4_bit | aes256_sk_bit
supported_enctypes = int(supported_enctypes)
if extra_bits is not None:
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index fb15b20e1876..7e20acbf8b96 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -995,9 +995,6 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
*/
Globals.rpc_start_on_demand_helpers = true;
- Globals.kdc_default_domain_supported_enctypes =
- KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
-
/* Now put back the settings that were set with lp_set_cmdline() */
apply_lp_set_cmdline();
}
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index bc7f2b2311c3..4cdbdf9a325b 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1062,7 +1062,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
bool force_rc4 = lpcfg_kdc_force_enable_rc4_weak_session_keys(lp_ctx);
struct ldb_message_element *objectclasses;
struct ldb_val computer_val = data_blob_string_const("computer");
- uint32_t default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+ uint32_t config_default_supported_enctypes = lpcfg_kdc_default_domain_supported_enctypes(lp_ctx);
+ uint32_t default_supported_enctypes =
+ config_default_supported_enctypes != 0 ?
+ config_default_supported_enctypes :
+ ENC_RC4_HMAC_MD5 | ENC_HMAC_SHA1_96_AES256_SK;
uint32_t supported_enctypes
= ldb_msg_find_attr_as_uint(msg,
"msDS-SupportedEncryptionTypes",
--
2.34.1

151
backport-0051-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,151 @@
From 0107b58ec8f5735f29e54062041b251d982a8c6b Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 14:13:36 +0100
Subject: [PATCH 51/54] CVE-2022-37966 param: Add support for new option "kdc
supported enctypes"
This allows admins to disable enctypes completely if required.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 36d0a495159f72633f1f41deec979095417a1727)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
.../security/kdcsupportedenctypes.xml | 40 +++++++++++
lib/param/loadparm.c | 69 +++++++++++++++++++
2 files changed, 109 insertions(+)
create mode 100644 docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
diff --git a/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
new file mode 100644
index 000000000000..5e028bbb2be1
--- /dev/null
+++ b/docs-xml/smbdotconf/security/kdcsupportedenctypes.xml
@@ -0,0 +1,40 @@
+<samba:parameter name="kdc supported enctypes"
+ type="integer"
+ context="G"
+ handler="handle_kdc_supported_enctypes"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
+<description>
+ <para>
+ On an active directory domain controller, this is the list of supported encryption types for local running kdc.
+ </para>
+
+ <para>
+ This allows Samba administrators to remove support for weak/unused encryption types, similar
+ the configuration flexibility provided by the <constant>Network security: Configure encryption types allowed for Kerberos</constant>
+ GPO/Local Policies/Security Options Value, which results in the
+ <constant>HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\SupportedEncryptionTypes</constant> Registry Value on Windows.
+ </para>
+ <para>
+ Unlike the Windows registry key (which only takes an base-10 number), in Samba this may also be expressed as hexadecimal or a list of Kerberos encryption type names.
+ </para>
+ <para>
+ Specified values are ORed together bitwise, and those currently supported consist of:
+ </para><itemizedlist>
+ <listitem>
+ <para><constant>arcfour-hmac-md5</constant>, <constant>rc4-hmac</constant>, <constant>0x4</constant>, or <constant>4</constant></para>
+ <para>Known on Windows as Kerberos RC4 encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes128-cts-hmac-sha1-96</constant>, <constant>aes128-cts</constant>, <constant>0x8</constant>, or <constant>8</constant></para>
+ <para>Known on Windows as Kerberos AES 128 bit encryption</para>
+ </listitem>
+ <listitem>
+ <para><constant>aes256-cts-hmac-sha1-96</constant>, <constant>aes256-cts</constant>, <constant>0x10</constant>, or <constant>16</constant></para>
+ <para>Known on Windows as Kerberos AES 256 bit encryption</para>
+ </listitem>
+</itemizedlist>
+
+</description>
+
+<value type="default">0<comment>maps to what the software supports currently: arcfour-hmac-md5 aes128-cts-hmac-sha1-96 aes256-cts-hmac-sha1-96</comment></value>
+</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 8387242c25f5..fc0dc4df83fe 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -1779,6 +1779,75 @@ out:
return ok;
}
+bool handle_kdc_supported_enctypes(struct loadparm_context *lp_ctx,
+ struct loadparm_service *service,
+ const char *pszParmValue, char **ptr)
+{
+ char **enctype_list = NULL;
+ char **enctype = NULL;
+ uint32_t result = 0;
+ bool ok = true;
+
+ enctype_list = str_list_make(NULL, pszParmValue, NULL);
+ if (enctype_list == NULL) {
+ DBG_ERR("OOM: failed to make string list from %s\n",
+ pszParmValue);
+ ok = false;
+ goto out;
+ }
+
+ for (enctype = enctype_list; *enctype != NULL; ++enctype) {
+ if (strwicmp(*enctype, "arcfour-hmac-md5") == 0 ||
+ strwicmp(*enctype, "rc4-hmac") == 0)
+ {
+ result |= KERB_ENCTYPE_RC4_HMAC_MD5;
+ }
+ else if (strwicmp(*enctype, "aes128-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes128-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96;
+ }
+ else if (strwicmp(*enctype, "aes256-cts-hmac-sha1-96") == 0 ||
+ strwicmp(*enctype, "aes256-cts") == 0)
+ {
+ result |= KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96;
+ }
+ else {
+ const char *bitstr = *enctype;
+ int base;
+ int error;
+ unsigned long bit;
+
+ /* See if the bit's specified in hexadecimal. */
+ if (bitstr[0] == '0' &&
+ (bitstr[1] == 'x' || bitstr[2] == 'X'))
+ {
+ base = 16;
+ bitstr += 2;
+ }
+ else {
+ base = 10;
+ }
+
+ bit = smb_strtoul(bitstr, NULL, base, &error, SMB_STR_FULL_STR_CONV);
+ if (error) {
+ DBG_ERR("WARNING: Ignoring invalid value '%s' "
+ "for parameter 'kdc default domain supported enctypes'\n",
+ *enctype);
+ ok = false;
+ } else {
+ result |= bit;
+ }
+ }
+ }
+
+ *(int *)ptr = result;
+out:
+ TALLOC_FREE(enctype_list);
+
+ return ok;
+}
+
static bool set_variable(TALLOC_CTX *mem_ctx, struct loadparm_service *service,
int parmnum, void *parm_ptr,
const char *pszParmName, const char *pszParmValue,
--
2.34.1

51
backport-0052-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,51 @@
From 15caf6240e0336685494ae36405b60408e83ed72 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Wed, 30 Nov 2022 09:39:19 +0100
Subject: [PATCH 52/54] CVE-2022-37966 s4:kdc: apply restrictions of "kdc
supported enctypes"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit cca3c024fc514bee79bb60a686e470605cc98d6f)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
source4/kdc/db-glue.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/source4/kdc/db-glue.c b/source4/kdc/db-glue.c
index 4cdbdf9a325b..83d5c903235a 100644
--- a/source4/kdc/db-glue.c
+++ b/source4/kdc/db-glue.c
@@ -1079,7 +1079,11 @@ static krb5_error_code samba_kdc_message2entry(krb5_context context,
* but effectively restricted by kdc_enctypes
*/
uint32_t domain_enctypes = ENC_RC4_HMAC_MD5 | ENC_RSA_MD5 | ENC_CRC32;
- uint32_t kdc_enctypes = ENC_ALL_TYPES;
+ uint32_t config_kdc_enctypes = lpcfg_kdc_supported_enctypes(lp_ctx);
+ uint32_t kdc_enctypes =
+ config_kdc_enctypes != 0 ?
+ config_kdc_enctypes :
+ ENC_ALL_TYPES;
const char *samAccountName = ldb_msg_find_attr_as_string(msg, "samAccountName", NULL);
ZERO_STRUCTP(entry);
@@ -1665,7 +1669,11 @@ static krb5_error_code samba_kdc_trust_message2entry(krb5_context context,
uint32_t supported_enctypes = ENC_RC4_HMAC_MD5;
uint32_t pa_supported_enctypes;
uint32_t supported_session_etypes;
- uint32_t kdc_enctypes = ENC_ALL_TYPES;
+ uint32_t config_kdc_enctypes = lpcfg_kdc_supported_enctypes(lp_ctx);
+ uint32_t kdc_enctypes =
+ config_kdc_enctypes != 0 ?
+ config_kdc_enctypes :
+ ENC_ALL_TYPES;
struct lsa_TrustDomainInfoInfoEx *tdo = NULL;
NTSTATUS status;
--
2.34.1

187
backport-0053-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,187 @@
From bed943062b6287086d2a08668f9936f82cd840ad Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 6 Dec 2022 12:55:45 +0100
Subject: [PATCH 53/54] CVE-2022-37966 samba-tool: add 'domain trust modify'
command
For now it only allows the admin to modify
the msDS-SupportedEncryptionTypes values.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
(cherry picked from commit d1999c152acdf939b4cd7eb446dd9921d3edae29)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
docs-xml/manpages/samba-tool.8.xml | 5 ++
python/samba/netcmd/domain.py | 121 +++++++++++++++++++++++++++++
2 files changed, 126 insertions(+)
diff --git a/docs-xml/manpages/samba-tool.8.xml b/docs-xml/manpages/samba-tool.8.xml
index 9a40bb1bec4e..8e9279cc518d 100644
--- a/docs-xml/manpages/samba-tool.8.xml
+++ b/docs-xml/manpages/samba-tool.8.xml
@@ -676,6 +676,11 @@
<para>Create a domain or forest trust.</para>
</refsect3>
+<refsect3>
+ <title>domain trust modify <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
+ <para>Modify a domain or forest trust.</para>
+</refsect3>
+
<refsect3>
<title>domain trust delete <replaceable>DOMAIN</replaceable> <replaceable>options</replaceable> [options]</title>
<para>Delete a domain trust.</para>
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py
index e2eeabd6d1a1..9e34d9ea8f8d 100644
--- a/python/samba/netcmd/domain.py
+++ b/python/samba/netcmd/domain.py
@@ -2033,6 +2033,7 @@ class DomainTrustCommand(Command):
security.KERB_ENCTYPE_RC4_HMAC_MD5: "RC4_HMAC_MD5",
security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96: "AES128_CTS_HMAC_SHA1_96",
security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96: "AES256_CTS_HMAC_SHA1_96",
+ security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK: "AES256_CTS_HMAC_SHA1_96-SK",
security.KERB_ENCTYPE_FAST_SUPPORTED: "FAST_SUPPORTED",
security.KERB_ENCTYPE_COMPOUND_IDENTITY_SUPPORTED: "COMPOUND_IDENTITY_SUPPORTED",
security.KERB_ENCTYPE_CLAIMS_SUPPORTED: "CLAIMS_SUPPORTED",
@@ -2254,6 +2255,125 @@ class cmd_domain_trust_show(DomainTrustCommand):
return
+class cmd_domain_trust_modify(DomainTrustCommand):
+ """Show trusted domain details."""
+
+ synopsis = "%prog NAME [options]"
+
+ takes_optiongroups = {
+ "sambaopts": options.SambaOptions,
+ "versionopts": options.VersionOptions,
+ "localdcopts": LocalDCCredentialsOptions,
+ }
+
+ takes_options = [
+ Option("--use-aes-keys", action="store_true",
+ help="The trust uses AES kerberos keys.",
+ dest='use_aes_keys',
+ default=None),
+ Option("--no-aes-keys", action="store_true",
+ help="The trust does not have any support for AES kerberos keys.",
+ dest='disable_aes_keys',
+ default=None),
+ Option("--raw-kerb-enctypes", action="store",
+ help="The raw kerberos enctype bits",
+ dest='kerb_enctypes',
+ default=None),
+ ]
+
+ takes_args = ["domain"]
+
+ def run(self, domain, sambaopts=None, versionopts=None, localdcopts=None,
+ disable_aes_keys=None, use_aes_keys=None, kerb_enctypes=None):
+
+ num_modifications = 0
+
+ enctype_args = 0
+ if kerb_enctypes is not None:
+ enctype_args += 1
+ if use_aes_keys is not None:
+ enctype_args += 1
+ if disable_aes_keys is not None:
+ enctype_args += 1
+ if enctype_args > 1:
+ raise CommandError("--no-aes-keys, --use-aes-keys and --raw-kerb-enctypes are mutually exclusive")
+ if enctype_args == 1:
+ num_modifications += 1
+
+ if num_modifications == 0:
+ raise CommandError("modification arguments are required, try --help")
+
+ local_server = self.setup_local_server(sambaopts, localdcopts)
+ try:
+ local_lsa = self.new_local_lsa_connection()
+ except RuntimeError as error:
+ raise self.LocalRuntimeError(self, error, "failed to connect to lsa server")
+
+ try:
+ local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION
+ local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN
+ (local_policy, local_lsa_info) = self.get_lsa_info(local_lsa, local_policy_access)
+ except RuntimeError as error:
+ raise self.LocalRuntimeError(self, error, "failed to query LSA_POLICY_INFO_DNS")
+
+ self.outf.write("LocalDomain Netbios[%s] DNS[%s] SID[%s]\n" % (
+ local_lsa_info.name.string,
+ local_lsa_info.dns_domain.string,
+ local_lsa_info.sid))
+
+ if enctype_args == 1:
+ lsaString = lsa.String()
+ lsaString.string = domain
+
+ try:
+ local_tdo_enctypes = \
+ local_lsa.QueryTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES)
+ except NTSTATUSError as error:
+ if self.check_runtime_error(error, ntstatus.NT_STATUS_INVALID_PARAMETER):
+ error = None
+ if self.check_runtime_error(error, ntstatus.NT_STATUS_INVALID_INFO_CLASS):
+ error = None
+
+ if error is not None:
+ raise self.LocalRuntimeError(self, error,
+ "QueryTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failed")
+
+ local_tdo_enctypes = lsa.TrustDomainInfoSupportedEncTypes()
+ local_tdo_enctypes.enc_types = 0
+
+ self.outf.write("Old kerb_EncTypes: %s\n" % self.kerb_EncTypes_string(local_tdo_enctypes.enc_types))
+
+ enc_types = lsa.TrustDomainInfoSupportedEncTypes()
+ if kerb_enctypes is not None:
+ enc_types.enc_types = int(kerb_enctypes, base=0)
+ elif use_aes_keys is not None:
+ enc_types.enc_types = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96
+ enc_types.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96
+ elif disable_aes_keys is not None:
+ # CVE-2022-37966: Trust objects are no longer assumed to support
+ # RC4, so we must indicate support explicitly.
+ enc_types.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5
+ else:
+ raise CommandError("Internal error should be checked above")
+
+ if enc_types.enc_types != local_tdo_enctypes.enc_types:
+ try:
+ local_tdo_enctypes = \
+ local_lsa.SetTrustedDomainInfoByName(local_policy,
+ lsaString,
+ lsa.LSA_TRUSTED_DOMAIN_SUPPORTED_ENCRYPTION_TYPES,
+ enc_types)
+ self.outf.write("New kerb_EncTypes: %s\n" % self.kerb_EncTypes_string(enc_types.enc_types))
+ except NTSTATUSError as error:
+ if error is not None:
+ raise self.LocalRuntimeError(self, error,
+ "SetTrustedDomainInfoByName(SUPPORTED_ENCRYPTION_TYPES) failed")
+ else:
+ self.outf.write("No kerb_EncTypes update needed\n")
+
+ return
class cmd_domain_trust_create(DomainTrustCommand):
"""Create a domain or forest trust."""
@@ -3936,6 +4056,7 @@ class cmd_domain_trust(SuperCommand):
subcommands["list"] = cmd_domain_trust_list()
subcommands["show"] = cmd_domain_trust_show()
subcommands["create"] = cmd_domain_trust_create()
+ subcommands["modify"] = cmd_domain_trust_modify()
subcommands["delete"] = cmd_domain_trust_delete()
subcommands["validate"] = cmd_domain_trust_validate()
subcommands["namespaces"] = cmd_domain_trust_namespaces()
--
2.34.1

541
backport-0054-CVE-2022-37966.patch Normal file
View File

@ -0,0 +1,541 @@
From 6b3e132bfaf9a606fe6267b79163099c02146473 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Tue, 29 Nov 2022 14:14:32 +0100
Subject: [PATCH 54/54] CVE-2022-37966 python:/tests/krb5: call
sys.path.insert(0, "bin/python") before any other imports
This allows the tests to be executed without an explicit
PYTHONPATH="bin/python".
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Autobuild-User(master): Stefan Metzmacher <metze@samba.org>
Autobuild-Date(master): Tue Dec 13 14:06:14 UTC 2022 on sn-devel-184
(similar to commit 987cba90573f955fe9c781830daec85ad4d5bf92)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17695
---
python/samba/tests/krb5/alias_tests.py | 6 +++---
python/samba/tests/krb5/as_canonicalization_tests.py | 5 +++--
python/samba/tests/krb5/etype_tests.py | 8 +++++---
python/samba/tests/krb5/fast_tests.py | 11 ++++++-----
python/samba/tests/krb5/kdc_base_test.py | 7 ++++---
python/samba/tests/krb5/kpasswd_tests.py | 8 ++++----
python/samba/tests/krb5/lockout_tests.py | 11 ++++++-----
python/samba/tests/krb5/nt_hash_tests.py | 8 ++++----
python/samba/tests/krb5/pac_align_tests.py | 6 +++---
python/samba/tests/krb5/protected_users_tests.py | 8 ++++----
python/samba/tests/krb5/rodc_tests.py | 4 ++--
python/samba/tests/krb5/s4u_tests.py | 3 ++-
python/samba/tests/krb5/salt_tests.py | 6 +++---
python/samba/tests/krb5/spn_tests.py | 8 ++++----
python/samba/tests/krb5/test_ccache.py | 6 +++---
python/samba/tests/krb5/test_idmap_nss.py | 6 +++---
python/samba/tests/krb5/test_ldap.py | 6 +++---
python/samba/tests/krb5/test_min_domain_uid.py | 7 ++++---
python/samba/tests/krb5/test_rpc.py | 6 +++---
python/samba/tests/krb5/test_smb.py | 6 +++---
20 files changed, 72 insertions(+), 64 deletions(-)
diff --git a/python/samba/tests/krb5/alias_tests.py b/python/samba/tests/krb5/alias_tests.py
index 1f63775c189c..3ddfe4ecc753 100755
--- a/python/samba/tests/krb5/alias_tests.py
+++ b/python/samba/tests/krb5/alias_tests.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
import ldb
from samba.tests import delete_force
@@ -32,9 +35,6 @@ from samba.tests.krb5.rfc4120_constants import (
NT_PRINCIPAL,
)
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/as_canonicalization_tests.py b/python/samba/tests/krb5/as_canonicalization_tests.py
index 700a03622e1d..22ea14d35752 100755
--- a/python/samba/tests/krb5/as_canonicalization_tests.py
+++ b/python/samba/tests/krb5/as_canonicalization_tests.py
@@ -19,12 +19,13 @@
import sys
import os
-from enum import Enum, unique
-import pyasn1
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+from enum import Enum, unique
+import pyasn1
+
from samba.tests.krb5.kdc_base_test import KDCBaseTest
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
from samba.credentials import DONT_USE_KERBEROS
diff --git a/python/samba/tests/krb5/etype_tests.py b/python/samba/tests/krb5/etype_tests.py
index 9725d544c2ac..46ccc70f07df 100755
--- a/python/samba/tests/krb5/etype_tests.py
+++ b/python/samba/tests/krb5/etype_tests.py
@@ -17,10 +17,14 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import itertools
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+import itertools
+
from samba.dcerpc import security
from samba.tests import DynamicTestCase
@@ -34,8 +38,6 @@ from samba.tests.krb5.rfc4120_constants import (
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/fast_tests.py b/python/samba/tests/krb5/fast_tests.py
index 7e69d6c83df5..52c0aa1d84af 100755
--- a/python/samba/tests/krb5/fast_tests.py
+++ b/python/samba/tests/krb5/fast_tests.py
@@ -17,9 +17,13 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import functools
-import os
import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
+import functools
import collections
import ldb
@@ -58,9 +62,6 @@ from samba.tests.krb5.rfc4120_constants import (
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
import samba.tests.krb5.kcrypto as kcrypto
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/kdc_base_test.py b/python/samba/tests/krb5/kdc_base_test.py
index 46271a90bcf4..127de665fd57 100644
--- a/python/samba/tests/krb5/kdc_base_test.py
+++ b/python/samba/tests/krb5/kdc_base_test.py
@@ -18,6 +18,10 @@
import sys
import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
from datetime import datetime, timezone
import tempfile
import binascii
@@ -95,9 +99,6 @@ from samba.tests.krb5.rfc4120_constants import (
PADATA_ETYPE_INFO2,
)
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/kpasswd_tests.py b/python/samba/tests/krb5/kpasswd_tests.py
index 0db857f7bbd1..014bd10aebd0 100755
--- a/python/samba/tests/krb5/kpasswd_tests.py
+++ b/python/samba/tests/krb5/kpasswd_tests.py
@@ -17,8 +17,11 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os
import sys
+import os
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
from functools import partial
@@ -41,9 +44,6 @@ from samba.tests.krb5.rfc4120_constants import (
NT_SRV_INST,
)
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/lockout_tests.py b/python/samba/tests/krb5/lockout_tests.py
index e49e82a4bd5f..1e3330b0a42b 100755
--- a/python/samba/tests/krb5/lockout_tests.py
+++ b/python/samba/tests/krb5/lockout_tests.py
@@ -17,12 +17,16 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
+import sys
+import os
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
from concurrent import futures
from enum import Enum
from functools import partial
from multiprocessing import Pipe
-import os
-import sys
import time
from cryptography.hazmat.backends import default_backend
@@ -66,9 +70,6 @@ from samba.tests.krb5.rfc4120_constants import (
NT_SRV_INST,
)
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/nt_hash_tests.py b/python/samba/tests/krb5/nt_hash_tests.py
index e64a874b0800..f2cd14887f85 100755
--- a/python/samba/tests/krb5/nt_hash_tests.py
+++ b/python/samba/tests/krb5/nt_hash_tests.py
@@ -16,8 +16,11 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os
import sys
+import os
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
import ldb
@@ -26,9 +29,6 @@ from samba.dcerpc import drsuapi, misc
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/pac_align_tests.py b/python/samba/tests/krb5/pac_align_tests.py
index ff8b608dde14..ae6359648e92 100755
--- a/python/samba/tests/krb5/pac_align_tests.py
+++ b/python/samba/tests/krb5/pac_align_tests.py
@@ -19,14 +19,14 @@
import sys
import os
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
from samba.dcerpc import krb5pac
from samba.ndr import ndr_unpack
from samba.tests import DynamicTestCase
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/protected_users_tests.py b/python/samba/tests/krb5/protected_users_tests.py
index 02d7356bb7dc..1c899a15a5ff 100755
--- a/python/samba/tests/krb5/protected_users_tests.py
+++ b/python/samba/tests/krb5/protected_users_tests.py
@@ -16,8 +16,11 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os
import sys
+import os
+
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
from functools import partial
@@ -47,9 +50,6 @@ from samba.tests.krb5.rfc4120_constants import (
)
import samba.tests.krb5.rfc4120_pyasn1 as krb5_asn1
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/rodc_tests.py b/python/samba/tests/krb5/rodc_tests.py
index 3e0e2a7712e6..71ef603f49a6 100755
--- a/python/samba/tests/krb5/rodc_tests.py
+++ b/python/samba/tests/krb5/rodc_tests.py
@@ -19,11 +19,11 @@
import sys
import os
-from samba.tests.krb5.kdc_base_test import KDCBaseTest
-
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+from samba.tests.krb5.kdc_base_test import KDCBaseTest
+
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/s4u_tests.py b/python/samba/tests/krb5/s4u_tests.py
index 97d07682ffe3..5b7aee8020d5 100755
--- a/python/samba/tests/krb5/s4u_tests.py
+++ b/python/samba/tests/krb5/s4u_tests.py
@@ -18,11 +18,12 @@
import sys
import os
-import functools
sys.path.insert(0, "bin/python")
os.environ["PYTHONUNBUFFERED"] = "1"
+import functools
+
from samba import dsdb, ntstatus
from samba.dcerpc import krb5pac, lsa, security
diff --git a/python/samba/tests/krb5/salt_tests.py b/python/samba/tests/krb5/salt_tests.py
index db777f8b7bc0..b9e82f984b3a 100755
--- a/python/samba/tests/krb5/salt_tests.py
+++ b/python/samba/tests/krb5/salt_tests.py
@@ -19,14 +19,14 @@
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import ldb
from samba.tests.krb5.as_req_tests import AsReqBaseTest
import samba.tests.krb5.kcrypto as kcrypto
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/spn_tests.py b/python/samba/tests/krb5/spn_tests.py
index 62d2ea081bca..f4f20bea4f2f 100755
--- a/python/samba/tests/krb5/spn_tests.py
+++ b/python/samba/tests/krb5/spn_tests.py
@@ -17,8 +17,11 @@
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
-import os
import sys
+import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
from samba.tests import DynamicTestCase
@@ -33,9 +36,6 @@ from samba.tests.krb5.rfc4120_constants import (
NT_PRINCIPAL,
)
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/test_ccache.py b/python/samba/tests/krb5/test_ccache.py
index 75038ea5cc15..6413bfa21150 100755
--- a/python/samba/tests/krb5/test_ccache.py
+++ b/python/samba/tests/krb5/test_ccache.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import ldb
from ldb import SCOPE_SUBTREE
@@ -31,9 +34,6 @@ from samba.ntstatus import NT_STATUS_NO_IMPERSONATION_TOKEN
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/test_idmap_nss.py b/python/samba/tests/krb5/test_idmap_nss.py
index d3480dbca3f7..1ee020122b95 100755
--- a/python/samba/tests/krb5/test_idmap_nss.py
+++ b/python/samba/tests/krb5/test_idmap_nss.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, 'bin/python')
+os.environ['PYTHONUNBUFFERED'] = '1'
+
from ldb import SCOPE_SUBTREE
from samba import NTSTATUSError
from samba.credentials import DONT_USE_KERBEROS
@@ -34,9 +37,6 @@ from samba.samba3 import param as s3param
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, 'bin/python')
-os.environ['PYTHONUNBUFFERED'] = '1'
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/test_ldap.py b/python/samba/tests/krb5/test_ldap.py
index c1375730e6fb..eaf79e7fa01d 100755
--- a/python/samba/tests/krb5/test_ldap.py
+++ b/python/samba/tests/krb5/test_ldap.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import ldb
from ldb import LdbError, ERR_OPERATIONS_ERROR, SCOPE_BASE, SCOPE_SUBTREE
@@ -30,9 +33,6 @@ from samba import credentials
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/test_min_domain_uid.py b/python/samba/tests/krb5/test_min_domain_uid.py
index 77414b239f08..7c7942c6cbee 100755
--- a/python/samba/tests/krb5/test_min_domain_uid.py
+++ b/python/samba/tests/krb5/test_min_domain_uid.py
@@ -18,6 +18,10 @@
import sys
import os
+
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import pwd
import ctypes
@@ -29,9 +33,6 @@ from samba import NTSTATUSError, ntstatus
from samba.tests.krb5.kdc_base_test import KDCBaseTest
from samba.credentials import MUST_USE_KERBEROS, DONT_USE_KERBEROS
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
class SmbMinDomainUid(KDCBaseTest):
"""Test for SMB authorization without NSS winbind. In such setup domain
accounts are mapped to local accounts using the 'username map' option.
diff --git a/python/samba/tests/krb5/test_rpc.py b/python/samba/tests/krb5/test_rpc.py
index 5a3c7339ceaa..6faf2a060632 100755
--- a/python/samba/tests/krb5/test_rpc.py
+++ b/python/samba/tests/krb5/test_rpc.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import ldb
from samba import NTSTATUSError, credentials
@@ -31,9 +34,6 @@ from samba.ntstatus import (
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
diff --git a/python/samba/tests/krb5/test_smb.py b/python/samba/tests/krb5/test_smb.py
index 47e9e48c971d..f0a82a432291 100755
--- a/python/samba/tests/krb5/test_smb.py
+++ b/python/samba/tests/krb5/test_smb.py
@@ -20,6 +20,9 @@
import sys
import os
+sys.path.insert(0, "bin/python")
+os.environ["PYTHONUNBUFFERED"] = "1"
+
import ldb
from ldb import SCOPE_SUBTREE
@@ -32,9 +35,6 @@ from samba.samba3 import param as s3param
from samba.tests.krb5.kdc_base_test import KDCBaseTest
-sys.path.insert(0, "bin/python")
-os.environ["PYTHONUNBUFFERED"] = "1"
-
global_asn1_print = False
global_hexdump = False
--
2.34.1

94
samba.spec
View File

@ -48,7 +48,7 @@
Name: samba
Version: 4.17.2
Release: 4
Release: 5
Summary: A suite for Linux to interoperate with Windows
License: GPLv3+ and LGPLv3+
@ -68,6 +68,90 @@ Source201: README.downgrade
Patch0001: backport-CVE-2022-42898-third_party-heimdal-PAC-parse-integer.patch
Patch0002: backport-CVE-2022-44640.patch
Patch0003: backport-0001-CVE-2022-38023.patch
Patch0004: backport-0002-CVE-2022-38023.patch
Patch0005: backport-0003-CVE-2022-38023.patch
Patch0006: backport-0004-CVE-2022-38023.patch
Patch0007: backport-0005-CVE-2022-38023.patch
Patch0008: backport-0006-CVE-2022-38023.patch
Patch0009: backport-0007-CVE-2022-38023.patch
Patch0010: backport-0008-CVE-2022-38023.patch
Patch0011: backport-0009-CVE-2022-38023.patch
Patch0012: backport-0010-CVE-2022-38023.patch
Patch0013: backport-0011-CVE-2022-38023.patch
Patch0014: backport-0012-CVE-2022-38023.patch
Patch0015: backport-0013-CVE-2022-38023.patch
Patch0016: backport-0014-CVE-2022-38023.patch
Patch0017: backport-0015-CVE-2022-38023.patch
Patch0018: backport-0016-CVE-2022-38023.patch
Patch0019: backport-0017-CVE-2022-38023.patch
Patch0020: backport-0018-CVE-2022-38023.patch
Patch0021: backport-0019-CVE-2022-38023.patch
Patch0022: backport-0020-CVE-2022-38023.patch
Patch0023: backport-0021-CVE-2022-38023.patch
Patch0024: backport-0022-CVE-2022-38023.patch
Patch0025: backport-0023-CVE-2022-38023.patch
Patch0026: backport-0024-CVE-2022-38023.patch
Patch0027: backport-0025-CVE-2022-38023.patch
Patch0028: backport-0026-CVE-2022-38023.patch
Patch0029: backport-0027-CVE-2022-38023.patch
Patch0030: backport-0028-CVE-2022-38023.patch
Patch0031: backport-0029-CVE-2022-38023.patch
Patch0032: backport-0030-CVE-2022-38023.patch
Patch0033: backport-0001-CVE-2022-37966.patch
Patch0034: backport-0002-CVE-2022-37966.patch
Patch0035: backport-0003-CVE-2022-37966.patch
Patch0036: backport-0004-CVE-2022-37966.patch
Patch0037: backport-0005-CVE-2022-37966.patch
Patch0038: backport-0006-CVE-2022-37966.patch
Patch0039: backport-0007-CVE-2022-37966.patch
Patch0040: backport-0008-CVE-2022-37966.patch
Patch0041: backport-0009-CVE-2022-37966.patch
Patch0042: backport-0010-CVE-2022-37966.patch
Patch0043: backport-0011-CVE-2022-37966.patch
Patch0044: backport-0012-CVE-2022-37966.patch
Patch0045: backport-0013-CVE-2022-37966.patch
Patch0046: backport-0014-CVE-2022-37966.patch
Patch0047: backport-0015-CVE-2022-37966.patch
Patch0048: backport-0016-CVE-2022-37966.patch
Patch0049: backport-0017-CVE-2022-37966.patch
Patch0050: backport-0018-CVE-2022-37966.patch
Patch0051: backport-0019-CVE-2022-37966.patch
Patch0052: backport-0020-CVE-2022-37966.patch
Patch0053: backport-0021-CVE-2022-37966.patch
Patch0054: backport-0022-CVE-2022-37966.patch
Patch0055: backport-0023-CVE-2022-37966.patch
Patch0056: backport-0024-CVE-2022-37966.patch
Patch0057: backport-0025-CVE-2022-37966.patch
Patch0058: backport-0026-CVE-2022-37966.patch
Patch0059: backport-0027-CVE-2022-37966.patch
Patch0060: backport-0028-CVE-2022-37966.patch
Patch0061: backport-0029-CVE-2022-37966.patch
Patch0062: backport-0030-CVE-2022-37966.patch
Patch0063: backport-0031-CVE-2022-37966.patch
Patch0064: backport-0032-CVE-2022-37966.patch
Patch0065: backport-0033-CVE-2022-37966.patch
Patch0066: backport-0034-CVE-2022-37966.patch
Patch0067: backport-0035-CVE-2022-37966.patch
Patch0068: backport-0036-CVE-2022-37966.patch
Patch0069: backport-0037-CVE-2022-37966.patch
Patch0070: backport-0038-CVE-2022-37966.patch
Patch0071: backport-0039-CVE-2022-37966.patch
Patch0072: backport-0040-CVE-2022-37966.patch
Patch0073: backport-0041-CVE-2022-37966.patch
Patch0074: backport-0042-CVE-2022-37966.patch
Patch0075: backport-0043-CVE-2022-37966.patch
Patch0076: backport-0044-CVE-2022-37966.patch
Patch0077: backport-0045-CVE-2022-37966.patch
Patch0078: backport-0046-CVE-2022-37966.patch
Patch0079: backport-0047-CVE-2022-37966.patch
Patch0080: backport-0048-CVE-2022-37966.patch
Patch0081: backport-0049-CVE-2022-37966.patch
Patch0082: backport-0050-CVE-2022-37966.patch
Patch0083: backport-0051-CVE-2022-37966.patch
Patch0084: backport-0052-CVE-2022-37966.patch
Patch0085: backport-0053-CVE-2022-37966.patch
Patch0086: backport-0054-CVE-2022-37966.patch
BuildRequires: avahi-devel bison dbus-devel docbook-style-xsl e2fsprogs-devel flex gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
BuildRequires: jansson-devel krb5-devel >= %{required_mit_krb5} libacl-devel libaio-devel libarchive-devel libattr-devel
@ -2327,6 +2411,7 @@ fi
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_canonicalization_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/as_req_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/compatability_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/etype_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/fast_tests.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kcrypto.*.pyc
%{python3_sitearch}/samba/tests/krb5/__pycache__/kdc_base_test.*.pyc
@ -2357,6 +2442,7 @@ fi
%{python3_sitearch}/samba/tests/krb5/as_canonicalization_tests.py
%{python3_sitearch}/samba/tests/krb5/as_req_tests.py
%{python3_sitearch}/samba/tests/krb5/compatability_tests.py
%{python3_sitearch}/samba/tests/krb5/etype_tests.py
%{python3_sitearch}/samba/tests/krb5/fast_tests.py
%{python3_sitearch}/samba/tests/krb5/kcrypto.py
%{python3_sitearch}/samba/tests/krb5/kdc_base_test.py
@ -3479,6 +3565,12 @@ fi
%endif
%changelog
* Thu Dec 29 2022 xinghe <xinghe2@h-partners.com> - 4.17.2-5
- Type:cves
- ID:CVE-2022-38023 CVE-2022-37966 CVE-2022-37967
- SUG:NA
- DESC:fix CVE-2022-38023 CVE-2022-37966 CVE-2022-37967
* Sat Dec 17 2022 xinghe <xinghe2@h-partners.com> - 4.17.2-4
- Type:cves
- ID:CVE-2022-44640