66 lines
2.6 KiB
Diff
66 lines
2.6 KiB
Diff
From b58a0f0b1f7cd327f666e03dbcce0fc19b18cd06 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Mon, 5 Dec 2022 21:45:08 +0100
|
|
Subject: [PATCH 07/54] CVE-2022-37966 libcli/auth: let
|
|
netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17695
|
|
---
|
|
libcli/auth/netlogon_creds_cli.c | 15 +++++++++++++++
|
|
1 file changed, 15 insertions(+)
|
|
|
|
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
index 52df5ab12a63..fb53ee5a1df8 100644
|
|
--- a/libcli/auth/netlogon_creds_cli.c
|
|
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
@@ -269,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
|
|
bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
|
|
int global_client_schannel = lpcfg_client_schannel(lp_ctx);
|
|
bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
|
|
+ int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx);
|
|
static bool warned_global_reject_md5_servers = false;
|
|
static bool warned_global_require_strong_key = false;
|
|
static bool warned_global_client_schannel = false;
|
|
static bool warned_global_seal_secure_channel = false;
|
|
+ static bool warned_global_kerberos_encryption_types = false;
|
|
static int warned_global_pid = 0;
|
|
int current_pid = tevent_cached_getpid();
|
|
|
|
@@ -281,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
|
|
warned_global_require_strong_key = false;
|
|
warned_global_client_schannel = false;
|
|
warned_global_seal_secure_channel = false;
|
|
+ warned_global_kerberos_encryption_types = false;
|
|
warned_global_pid = current_pid;
|
|
}
|
|
|
|
@@ -323,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
|
|
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
warned_global_seal_secure_channel = true;
|
|
}
|
|
+
|
|
+ if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY &&
|
|
+ !warned_global_kerberos_encryption_types)
|
|
+ {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ DBG_ERR("CVE-2022-37966: "
|
|
+ "Please void 'kerberos encryption types = legacy', "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15237\n");
|
|
+ warned_global_kerberos_encryption_types = true;
|
|
+ }
|
|
}
|
|
|
|
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
--
|
|
2.34.1
|