packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0016-CVE-2022-38023.patch

56 lines
2.0 KiB
Diff
Raw Blame History

From 548325d1e837123e7e356de6849daf62f12cabfd Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Fri, 25 Nov 2022 10:10:33 +0100
Subject: [PATCH 16/30] CVE-2022-38023 s4:rpc_server/netlogon: require aes if
weak crypto is disabled
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4c7f84798acd1e3218209d66d1a92e9f42954d51)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
source4/rpc_server/netlogon/dcerpc_netlogon.c | 9 +++++++++
source4/torture/rpc/netlogon_crypto.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/source4/rpc_server/netlogon/dcerpc_netlogon.c b/source4/rpc_server/netlogon/dcerpc_netlogon.c
index 82e3df055e7f..51e8dd42cdce 100644
--- a/source4/rpc_server/netlogon/dcerpc_netlogon.c
+++ b/source4/rpc_server/netlogon/dcerpc_netlogon.c
@@ -137,6 +137,15 @@ static NTSTATUS dcesrv_netr_ServerAuthenticate3_check_downgrade(
bool reject_des_client = !allow_nt4_crypto;
bool reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
+ /*
+ * If weak cryto is disabled, do not announce that we support RC4.
+ */
+ if (lpcfg_weak_crypto(lp_ctx) == SAMBA_WEAK_CRYPTO_DISALLOWED) {
+ /* Without RC4 and DES we require AES */
+ reject_des_client = true;
+ reject_md5_client = true;
+ }
+
if (negotiate_flags & NETLOGON_NEG_STRONG_KEYS) {
reject_des_client = false;
}
diff --git a/source4/torture/rpc/netlogon_crypto.c b/source4/torture/rpc/netlogon_crypto.c
index 05beb2b77b3b..85844604ee27 100644
--- a/source4/torture/rpc/netlogon_crypto.c
+++ b/source4/torture/rpc/netlogon_crypto.c
@@ -150,7 +150,7 @@ static bool test_ServerAuth3Crypto(struct dcerpc_pipe *p,
force_client_rc4) {
torture_assert_ntstatus_equal(tctx,
a.out.result,
- NT_STATUS_ACCESS_DENIED,
+ NT_STATUS_DOWNGRADE_DETECTED,
"Unexpected status code");
return false;
}
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink