From 548325d1e837123e7e356de6849daf62f12cabfd Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Fri, 25 Nov 2022 10:10:33 +0100 Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if weak crypto is disabled BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme (cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51) Conflict: NA Reference: https://attachments.samba.org/attachment.cgi?id=17692 --- source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++ source4/torture/rpc/netlogon_crypto.c | 2 +- 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c index 82e3df055e7f..51e8dd42cdce 100644 --- a/source4/rpc_server/netlogon/dcerpc_netlogon.c +++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c @@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade( bool reject_des_client = !allow_nt4_crypto; bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx); + /* + * If weak cryto is disabled, do not announce that we support RC4. + */ + if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) { + /* Without RC4 and DES we require AES */ + reject_des_client = true; + reject_md5_client = true; + } + if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) { reject_des_client = false; } diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c index 05beb2b77b3b..85844604ee27 100644 --- a/source4/torture/rpc/netlogon_crypto.c +++ b/source4/torture/rpc/netlogon_crypto.c @@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p, force_client_rc4) { torture_assert_ntstatus_equal(tctx, a.out.result, - NT_STATUS_ACCESS_DENIED, + NT_STATUS_DOWNGRADE_DETECTED, "Unexpected status code"); return false; } -- 2.34.1