138 lines
5.2 KiB
Diff
138 lines
5.2 KiB
Diff
From a87adec3f25bdbdcec2955ab32f55605d3e472d2 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Wed, 30 Nov 2022 14:57:20 +0100
|
|
Subject: [PATCH 23/30] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4
|
|
crypto = yes' and 'reject md5 clients = no'
|
|
|
|
Instead of using the generic deprecated option use the specific
|
|
allow nt4 crypto:COMPUTERACCOUNT = yes and
|
|
server reject md5 schannel:COMPUTERACCOUNT = no
|
|
in order to allow legacy tests for pass.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit 7ae3735810c2db32fa50f309f8af3c76ffa29768)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++-----
|
|
1 file changed, 53 insertions(+), 7 deletions(-)
|
|
|
|
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
|
|
index d0e5a53d9fb3..3328cf617225 100755
|
|
--- a/selftest/target/Samba4.pm
|
|
+++ b/selftest/target/Samba4.pm
|
|
@@ -1609,7 +1609,6 @@ sub provision_ad_dc_ntvfs($$$)
|
|
my $extra_conf_options = "netbios aliases = localDC1-a
|
|
server services = +winbind -winbindd
|
|
ldap server require strong auth = allow_sasl_over_tls
|
|
- allow nt4 crypto = yes
|
|
raw NTLMv2 auth = yes
|
|
lsa over netlogon = yes
|
|
rpc server port = 1027
|
|
@@ -1621,9 +1620,19 @@ sub provision_ad_dc_ntvfs($$$)
|
|
client min protocol = CORE
|
|
server min protocol = LANMAN1
|
|
|
|
- reject md5 clients = no
|
|
-
|
|
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
+ allow nt4 crypto:torturetest\$ = yes
|
|
+ server reject md5 schannel:schannel2\$ = no
|
|
+ server reject md5 schannel:schannel3\$ = no
|
|
+ server reject md5 schannel:schannel8\$ = no
|
|
+ server reject md5 schannel:schannel9\$ = no
|
|
+ server reject md5 schannel:torturetest\$ = no
|
|
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
server require schannel:schannel0\$ = no
|
|
server require schannel:schannel1\$ = no
|
|
server require schannel:schannel2\$ = no
|
|
@@ -1678,6 +1687,13 @@ sub provision_fl2000dc($$)
|
|
kdc enable fast = no
|
|
spnego:simulate_w2k=yes
|
|
ntlmssp_server:force_old_spnego=yes
|
|
+
|
|
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
";
|
|
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
# This environment uses plain text secrets
|
|
@@ -1718,11 +1734,23 @@ sub provision_fl2003dc($$$)
|
|
my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2");
|
|
|
|
print "PROVISIONING DC WITH FOREST LEVEL 2003...\n";
|
|
- my $extra_conf_options = "allow dns updates = nonsecure and secure
|
|
+ my $extra_conf_options = "
|
|
+ allow dns updates = nonsecure and secure
|
|
+
|
|
kdc enable fast = no
|
|
dcesrv:header signing = no
|
|
dcesrv:max auth states = 0
|
|
- dns forwarder = $ip_addr1 [$ip_addr2]:54";
|
|
+
|
|
+ dns forwarder = $ip_addr1 [$ip_addr2]:54
|
|
+
|
|
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
+";
|
|
+
|
|
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
my $ret = $self->provision($prefix,
|
|
"domain controller",
|
|
@@ -1777,6 +1805,13 @@ sub provision_fl2008r2dc($$$)
|
|
ldap server require strong auth = no
|
|
# delay by 10 seconds, 10^7 usecs
|
|
ldap_server:delay_expire_disconnect = 10000
|
|
+
|
|
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
";
|
|
my $extra_provision_options = ["--base-schema=2008_R2"];
|
|
my $ret = $self->provision($prefix,
|
|
@@ -1988,9 +2023,20 @@ sub provision_ad_dc($$$$$$$)
|
|
lpq cache time = 0
|
|
print notify backchannel = yes
|
|
|
|
- reject md5 clients = no
|
|
-
|
|
CVE_2020_1472:warn_about_unused_debug_level = 3
|
|
+ CVE_2022_38023:warn_about_unused_debug_level = 3
|
|
+ CVE_2022_38023:error_debug_level = 2
|
|
+ server reject md5 schannel:schannel2\$ = no
|
|
+ server reject md5 schannel:schannel3\$ = no
|
|
+ server reject md5 schannel:schannel8\$ = no
|
|
+ server reject md5 schannel:schannel9\$ = no
|
|
+ server reject md5 schannel:torturetest\$ = no
|
|
+ server reject md5 schannel:tests4u2proxywk\$ = no
|
|
+ server reject md5 schannel:tests4u2selfbdc\$ = no
|
|
+ server reject md5 schannel:tests4u2selfwk\$ = no
|
|
+ server reject md5 schannel:torturepacbdc\$ = no
|
|
+ server reject md5 schannel:torturepacwksta\$ = no
|
|
+ server reject md5 schannel:samlogontest\$ = no
|
|
server require schannel:schannel0\$ = no
|
|
server require schannel:schannel1\$ = no
|
|
server require schannel:schannel2\$ = no
|
|
--
|
|
2.34.1
|