packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0017-CVE-2022-38023.patch

99 lines
3.9 KiB
Diff
Raw Blame History

From 2d179d5d7cd6a47a1a7922f09b63234a467bdad3 Mon Sep 17 00:00:00 2001
From: Stefan Metzmacher <metze@samba.org>
Date: Thu, 24 Nov 2022 18:26:18 +0100
Subject: [PATCH 17/30] CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5
clients' default to yes
AES is supported by Windows Server >= 2008R2, Windows (Client) >= 7 and Samba >= 4.0,
so there's no reason to allow md5 clients by default.
However some third party domain members may need it.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit c8e53394b98b128ed460a6111faf05dfbad980d1)
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17692
---
docs-xml/smbdotconf/logon/rejectmd5clients.xml | 11 ++++++++---
lib/param/loadparm.c | 1 +
selftest/target/Samba4.pm | 4 ++++
source3/param/loadparm.c | 1 +
4 files changed, 14 insertions(+), 3 deletions(-)
diff --git a/docs-xml/smbdotconf/logon/rejectmd5clients.xml b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
index 0bb9f6f6c8ec..edcbe02e99a3 100644
--- a/docs-xml/smbdotconf/logon/rejectmd5clients.xml
+++ b/docs-xml/smbdotconf/logon/rejectmd5clients.xml
@@ -7,11 +7,16 @@
only in 'active directory domain controller' mode), will
reject clients which does not support NETLOGON_NEG_SUPPORTS_AES.</para>
- <para>You can set this to yes if all domain members support aes.
- This will prevent downgrade attacks.</para>
+ <para>Support for NETLOGON_NEG_SUPPORTS_AES was added in Windows
+ starting with Server 2008R2 and Windows 7, it's available in Samba
+ starting with 4.0, however third party domain members like NetApp ONTAP
+ still uses RC4 (HMAC-MD5), see https://www.samba.org/samba/security/CVE-2022-38023.html for more details.</para>
+
+ <para>The default changed from 'no' to 'yes', with the patches for CVE-2022-38023,
+ see https://bugzilla.samba.org/show_bug.cgi?id=15240</para>
<para>This option overrides the 'allow nt4 crypto' option.</para>
</description>
-<value type="default">no</value>
+<value type="default">yes</value>
</samba:parameter>
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
index 10157c95bc16..e509cf85bb89 100644
--- a/lib/param/loadparm.c
+++ b/lib/param/loadparm.c
@@ -2729,6 +2729,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
lpcfg_do_global_parameter(lp_ctx, "winbind nss info", "template");
lpcfg_do_global_parameter(lp_ctx, "server schannel", "True");
+ lpcfg_do_global_parameter(lp_ctx, "reject md5 clients", "True");
lpcfg_do_global_parameter(lp_ctx, "short preserve case", "True");
diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm
index 191aa3b749ee..d0e5a53d9fb3 100755
--- a/selftest/target/Samba4.pm
+++ b/selftest/target/Samba4.pm
@@ -1621,6 +1621,8 @@ sub provision_ad_dc_ntvfs($$$)
client min protocol = CORE
server min protocol = LANMAN1
+ reject md5 clients = no
+
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
@@ -1986,6 +1988,8 @@ sub provision_ad_dc($$$$$$$)
lpq cache time = 0
print notify backchannel = yes
+ reject md5 clients = no
+
CVE_2020_1472:warn_about_unused_debug_level = 3
server require schannel:schannel0\$ = no
server require schannel:schannel1\$ = no
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
index 91bb3c08327b..c88d241bcf78 100644
--- a/source3/param/loadparm.c
+++ b/source3/param/loadparm.c
@@ -668,6 +668,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
Globals.require_strong_key = true;
Globals.reject_md5_servers = true;
Globals.server_schannel = true;
+ Globals.reject_md5_clients = true;
Globals.read_raw = true;
Globals.write_raw = true;
Globals.null_passwords = false;
--
2.34.1
Reference in New Issue View Git Blame Copy Permalink