101 lines
3.1 KiB
Diff
101 lines
3.1 KiB
Diff
From 6a9ac02107834bc102020dea77483f66d87fe422 Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Tue, 6 Dec 2022 13:36:17 +0100
|
|
Subject: [PATCH 30/30] CVE-2022-38023 testparm: warn about unsecure schannel
|
|
related options
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17692
|
|
---
|
|
source3/utils/testparm.c | 61 ++++++++++++++++++++++++++++++++++++++++
|
|
1 file changed, 61 insertions(+)
|
|
|
|
diff --git a/source3/utils/testparm.c b/source3/utils/testparm.c
|
|
index 7e913a8ac4d3..121c2b7a5221 100644
|
|
--- a/source3/utils/testparm.c
|
|
+++ b/source3/utils/testparm.c
|
|
@@ -608,6 +608,37 @@ static int do_global_checks(void)
|
|
"'server require schannel:COMPUTERACCOUNT$ = no' "
|
|
"options\n\n");
|
|
}
|
|
+ if (lp_allow_nt4_crypto()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'allow nt4 crypto = no' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023 and others!\n"
|
|
+ "If required use individual "
|
|
+ "'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
|
|
+ "options\n\n");
|
|
+ }
|
|
+ if (!lp_reject_md5_clients()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'reject md5 clients = yes' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023!\n"
|
|
+ "If required use individual "
|
|
+ "'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
|
|
+ "options\n\n");
|
|
+ }
|
|
+ if (!lp_server_schannel_require_seal()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'server schannel require seal = yes' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023!\n"
|
|
+ "If required use individual "
|
|
+ "'server schannel require seal:COMPUTERACCOUNT$ = no' "
|
|
+ "options\n\n");
|
|
+ }
|
|
+
|
|
if (lp_client_schannel() != true) { /* can be 'auto' */
|
|
fprintf(stderr,
|
|
"WARNING: You have not configured "
|
|
@@ -618,6 +649,36 @@ static int do_global_checks(void)
|
|
"'client schannel:NETBIOSDOMAIN = no' "
|
|
"options\n\n");
|
|
}
|
|
+ if (!lp_reject_md5_servers()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'reject md5 servers = yes' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023\n"
|
|
+ "If required use individual "
|
|
+ "'reject md5 servers:NETBIOSDOMAIN = no' "
|
|
+ "options\n\n");
|
|
+ }
|
|
+ if (!lp_require_strong_key()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'require strong key = yes' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023\n"
|
|
+ "If required use individual "
|
|
+ "'require strong key:NETBIOSDOMAIN = no' "
|
|
+ "options\n\n");
|
|
+ }
|
|
+ if (!lp_winbind_sealed_pipes()) {
|
|
+ fprintf(stderr,
|
|
+ "WARNING: You have not configured "
|
|
+ "'winbind sealed pipes = yes' (the default). "
|
|
+ "Your server is vulernable to "
|
|
+ "CVE-2022-38023\n"
|
|
+ "If required use individual "
|
|
+ "'winbind sealed pipes:NETBIOSDOMAIN = no' "
|
|
+ "options\n\n");
|
|
+ }
|
|
|
|
return ret;
|
|
}
|
|
--
|
|
2.34.1
|