75 lines
2.8 KiB
Diff
75 lines
2.8 KiB
Diff
From 3157a6b132873fe1a641f7382e0dffae81445af0 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Tue, 6 Dec 2022 10:56:29 +0100
|
|
Subject: [PATCH 08/30] CVE-2022-38023 s4:rpc_server/netlogon: 'server schannel
|
|
!= yes' warning to dcesrv_interface_netlogon_bind
|
|
|
|
This will simplify the following changes.
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit e060ea5b3edbe3cba492062c9605f88fae212ee0)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
source4/rpc_server/netlogon/dcerpc_netlogon.c | 26 +++++++++++--------
|
|
1 file changed, 15 insertions(+), 11 deletions(-)
|
|
|
|
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
index 12ad78036d00..834e691bf90e 100644
|
|
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
|
|
@@ -63,6 +63,21 @@
|
|
static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context *context,
|
|
const struct dcesrv_interface *iface)
|
|
{
|
|
+ struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
|
|
+ int schannel = lpcfg_server_schannel(lp_ctx);
|
|
+ bool schannel_global_required = (schannel == true);
|
|
+ static bool warned_global_schannel_once = false;
|
|
+
|
|
+ if (!schannel_global_required && !warned_global_schannel_once) {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ D_ERR("CVE-2020-1472(ZeroLogon): "
|
|
+ "Please configure 'server schannel = yes' (the default), "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
|
|
+ warned_global_schannel_once = true;
|
|
+ }
|
|
+
|
|
return dcesrv_interface_bind_reject_connect(context, iface);
|
|
}
|
|
|
|
@@ -630,7 +645,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
|
|
uint16_t opnum = dce_call->pkt.u.request.opnum;
|
|
const char *opname = "<unknown>";
|
|
- static bool warned_global_once = false;
|
|
|
|
if (opnum < ndr_table_netlogon.num_calls) {
|
|
opname = ndr_table_netlogon.calls[opnum].name;
|
|
@@ -682,16 +696,6 @@ static NTSTATUS dcesrv_netr_creds_server_step_check(struct dcesrv_call_state *dc
|
|
return NT_STATUS_ACCESS_DENIED;
|
|
}
|
|
|
|
- if (!schannel_global_required && !warned_global_once) {
|
|
- /*
|
|
- * We want admins to notice their misconfiguration!
|
|
- */
|
|
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
- "Please configure 'server schannel = yes', "
|
|
- "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
|
|
- warned_global_once = true;
|
|
- }
|
|
-
|
|
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
|
DBG_ERR("CVE-2020-1472(ZeroLogon): "
|
|
"%s request (opnum[%u]) WITH schannel from "
|
|
--
|
|
2.34.1
|