!180 add patch for fix CVE-2022-38023

From: @xinghe_1 Reviewed-by: @kircher Signed-off-by: @kircher
2023-04-03 11:23:20 +00:00 · 2023-04-03 11:23:20 +00:00 · d3f30f14d5
commit d3f30f14d5
parent 3998e72b4e c24b46a73b
10 changed files with 1280 additions and 1 deletions
--- a/backport-0030-CVE-2022-38023.patch
+++ b/backport-0030-CVE-2022-38023.patch
@ -0,0 +1,133 @@
+From 19aa47e3db550fd3099f06c9b97dc5800dd5afb3 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 22 Dec 2022 11:33:12 +0100
+Subject: [PATCH 31/40] CVE-2022-38023 s3:rpc_server/netlogon: add
+ talloc_stackframe() to dcesrv_netr_creds_server_step_check()
+
+This will simplify the following changes.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++---------
+ 1 file changed, 22 insertions(+), 16 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 3221ebaa2e2..8e907e60f7e 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1070,6 +1070,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 					     struct netr_Authenticator *return_authenticator,
+ 					     struct netlogon_creds_CredentialState **creds_out)
+ {
+	TALLOC_CTX *frame = talloc_stackframe();
+ 	NTSTATUS status;
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 	bool schannel_required = schannel_global_required;
+@@ -1091,19 +1092,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 
+ 	auth_type = p->auth.auth_type;
+ 
+-	lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
+	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ 	if (lp_ctx == NULL) {
+ 		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		TALLOC_FREE(frame);
+ 		return NT_STATUS_INTERNAL_ERROR;
+ 	}
+ 
+ 	status = schannel_check_creds_state(mem_ctx, lp_ctx,
+ 					    computer_name, received_authenticator,
+ 					    return_authenticator, &creds);
+-	talloc_unlink(mem_ctx, lp_ctx);
+-
+ 	if (!NT_STATUS_IS_OK(status)) {
+ 		ZERO_STRUCTP(return_authenticator);
+		TALLOC_FREE(frame);
+ 		return status;
+ 	}
+ 
+@@ -1124,6 +1125,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 	if (schannel_required) {
+ 		if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ 			*creds_out = creds;
+			TALLOC_FREE(frame);
+ 			return NT_STATUS_OK;
+ 		}
+ 
+@@ -1131,13 +1133,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 			"%s request (opnum[%u]) without schannel from "
+ 			"client_account[%s] client_computer_name[%s]\n",
+ 			opname, opnum,
+-			log_escape(mem_ctx, creds->account_name),
+-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+-			"'server require schannel:%s = no' is needed! \n",
+-			log_escape(mem_ctx, creds->account_name));
+			"'server require schannel:%s = no' "
+			"might be needed for a legacy client.\n",
+			log_escape(frame, creds->account_name));
+ 		TALLOC_FREE(creds);
+ 		ZERO_STRUCTP(return_authenticator);
+		TALLOC_FREE(frame);
+ 		return NT_STATUS_ACCESS_DENIED;
+ 	}
+ 
+@@ -1156,13 +1160,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 			"%s request (opnum[%u]) WITH schannel from "
+ 			"client_account[%s] client_computer_name[%s]\n",
+ 			opname, opnum,
+-			log_escape(mem_ctx, creds->account_name),
+-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ 			"Option 'server require schannel:%s = no' not needed!?\n",
+-			log_escape(mem_ctx, creds->account_name));
+			log_escape(frame, creds->account_name));
+ 
+ 		*creds_out = creds;
+		TALLOC_FREE(frame);
+ 		return NT_STATUS_OK;
+ 	}
+ 
+@@ -1171,24 +1176,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 			 "%s request (opnum[%u]) without schannel from "
+ 			 "client_account[%s] client_computer_name[%s]\n",
+ 			 opname, opnum,
+-			 log_escape(mem_ctx, creds->account_name),
+-			 log_escape(mem_ctx, creds->computer_name));
+			 log_escape(frame, creds->account_name),
+			 log_escape(frame, creds->computer_name));
+ 		DBG_INFO("CVE-2020-1472(ZeroLogon): "
+ 			 "Option 'server require schannel:%s = no' still needed!\n",
+-			 log_escape(mem_ctx, creds->account_name));
+			 log_escape(frame, creds->account_name));
+ 	} else {
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ 			"%s request (opnum[%u]) without schannel from "
+ 			"client_account[%s] client_computer_name[%s]\n",
+ 			opname, opnum,
+-			log_escape(mem_ctx, creds->account_name),
+-			log_escape(mem_ctx, creds->computer_name));
+			log_escape(frame, creds->account_name),
+			log_escape(frame, creds->computer_name));
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+ 			"'server require schannel:%s = no' might be needed!\n",
+-			log_escape(mem_ctx, creds->account_name));
+			log_escape(frame, creds->account_name));
+ 	}
+ 
+ 	*creds_out = creds;
+	TALLOC_FREE(frame);
+ 	return NT_STATUS_OK;
+ }
+ 
+-- 
+2.39.0
--- a/backport-0031-CVE-2022-38023.patch
+++ b/backport-0031-CVE-2022-38023.patch
@ -0,0 +1,80 @@
+From 4118bd2e1b1a31717f4c5355be5d83c121fa85dc Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 21 Dec 2022 18:17:57 +0100
+Subject: [PATCH 32/40] CVE-2022-38023 s3:rpc_server/netlogon: re-order
+ checking in netr_creds_server_step_check()
+
+This will simplify the following changes.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++-----------
+ 1 file changed, 19 insertions(+), 21 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 8e907e60f7e..ba73fe3fa58 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1122,13 +1122,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		schannel_required = lp_bool(explicit_opt);
+ 	}
+ 
+-	if (schannel_required) {
+-		if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+-			*creds_out = creds;
+-			TALLOC_FREE(frame);
+-			return NT_STATUS_OK;
+	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (!schannel_required) {
+			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+				"%s request (opnum[%u]) WITH schannel from "
+				"client_account[%s] client_computer_name[%s]\n",
+				opname, opnum,
+				log_escape(frame, creds->account_name),
+				log_escape(frame, creds->computer_name));
+		}
+		if (explicit_opt != NULL && !schannel_required) {
+			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+				"Option 'server require schannel:%s = no' not needed!?\n",
+				log_escape(frame, creds->account_name));
+ 		}
+ 
+		*creds_out = creds;
+		TALLOC_FREE(frame);
+		return NT_STATUS_OK;
+	}
+
+	if (schannel_required) {
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ 			"%s request (opnum[%u]) without schannel from "
+ 			"client_account[%s] client_computer_name[%s]\n",
+@@ -1155,22 +1169,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		warned_global_once = true;
+ 	}
+ 
+-	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-			"%s request (opnum[%u]) WITH schannel from "
+-			"client_account[%s] client_computer_name[%s]\n",
+-			opname, opnum,
+-			log_escape(frame, creds->account_name),
+-			log_escape(frame, creds->computer_name));
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-			"Option 'server require schannel:%s = no' not needed!?\n",
+-			log_escape(frame, creds->account_name));
+-
+-		*creds_out = creds;
+-		TALLOC_FREE(frame);
+-		return NT_STATUS_OK;
+-	}
+-
+ 	if (explicit_opt != NULL) {
+ 		DBG_INFO("CVE-2020-1472(ZeroLogon): "
+ 			 "%s request (opnum[%u]) without schannel from "
+-- 
+2.39.0
--- a/backport-0032-CVE-2022-38023.patch
+++ b/backport-0032-CVE-2022-38023.patch
@ -0,0 +1,229 @@
+From 4e9f73ed47739f66fbf330d1f6ddb738b749395a Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 22 Dec 2022 11:35:57 +0100
+Subject: [PATCH 33/40] CVE-2022-38023 s3:rpc_server/netlogon: improve
+ CVE-2020-1472(ZeroLogon) debug messages
+
+In order to avoid generating useless debug messages during make test,
+we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
+and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
+
+Review with: git show -w
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------
+ 1 file changed, 109 insertions(+), 40 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index ba73fe3fa58..c9401499a9b 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1077,9 +1077,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 	const char *explicit_opt = NULL;
+ 	struct loadparm_context *lp_ctx;
+ 	struct netlogon_creds_CredentialState *creds = NULL;
+	int CVE_2020_1472_warn_level = DBGLVL_ERR;
+	int CVE_2020_1472_error_level = DBGLVL_ERR;
+	unsigned int dbg_lvl = DBGLVL_DEBUG;
+ 	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+ 	uint16_t opnum = p->opnum;
+ 	const char *opname = "<unknown>";
+	const char *reason = "<unknown>";
+ 	static bool warned_global_once = false;
+ 
+ 	if (creds_out != NULL) {
+@@ -1091,6 +1096,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 	}
+ 
+ 	auth_type = p->auth.auth_type;
+	auth_level = p->auth.auth_level;
+ 
+ 	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+ 	if (lp_ctx == NULL) {
+@@ -1099,6 +1105,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		return NT_STATUS_INTERNAL_ERROR;
+ 	}
+ 
+	CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+	CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+
+	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+			reason = "WITH SEALED";
+		} else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+			reason = "WITH SIGNED";
+		} else {
+			smb_panic("Schannel without SIGN/SEAL");
+		}
+	} else {
+		reason = "WITHOUT";
+	}
+
+ 	status = schannel_check_creds_state(mem_ctx, lp_ctx,
+ 					    computer_name, received_authenticator,
+ 					    return_authenticator, &creds);
+@@ -1123,40 +1146,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 	}
+ 
+ 	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+-		if (!schannel_required) {
+-			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-				"%s request (opnum[%u]) WITH schannel from "
+-				"client_account[%s] client_computer_name[%s]\n",
+-				opname, opnum,
+-				log_escape(frame, creds->account_name),
+-				log_escape(frame, creds->computer_name));
+		status = NT_STATUS_OK;
+
+		if (explicit_opt != NULL && !schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ 		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon): "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(status)));
+
+ 		if (explicit_opt != NULL && !schannel_required) {
+-			DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-				"Option 'server require schannel:%s = no' not needed!?\n",
+-				log_escape(frame, creds->account_name));
+			DEBUG(CVE_2020_1472_warn_level, (
+			      "CVE-2020-1472(ZeroLogon): "
+			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+ 		}
+ 
+ 		*creds_out = creds;
+ 		TALLOC_FREE(frame);
+-		return NT_STATUS_OK;
+		return status;
+ 	}
+ 
+ 	if (schannel_required) {
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-			"%s request (opnum[%u]) without schannel from "
+-			"client_account[%s] client_computer_name[%s]\n",
+-			opname, opnum,
+-			log_escape(frame, creds->account_name),
+-			log_escape(frame, creds->computer_name));
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+-			"'server require schannel:%s = no' "
+-			"might be needed for a legacy client.\n",
+-			log_escape(frame, creds->account_name));
+		status = NT_STATUS_ACCESS_DENIED;
+
+		if (explicit_opt != NULL) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		} else {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(status)));
+		if (explicit_opt != NULL) {
+			D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
+				"'server require schannel:%s = yes' "
+				"rejects access for client.\n",
+				log_escape(frame, creds->account_name));
+		} else {
+			DEBUG(CVE_2020_1472_error_level, (
+			      "CVE-2020-1472(ZeroLogon): Check if option "
+			      "'server require schannel:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+ 		TALLOC_FREE(creds);
+ 		ZERO_STRUCTP(return_authenticator);
+ 		TALLOC_FREE(frame);
+-		return NT_STATUS_ACCESS_DENIED;
+		return status;
+ 	}
+ 
+ 	if (!schannel_global_required && !warned_global_once) {
+@@ -1169,26 +1221,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		warned_global_once = true;
+ 	}
+ 
+	status = NT_STATUS_OK;
+
+ 	if (explicit_opt != NULL) {
+-		DBG_INFO("CVE-2020-1472(ZeroLogon): "
+-			 "%s request (opnum[%u]) without schannel from "
+-			 "client_account[%s] client_computer_name[%s]\n",
+-			 opname, opnum,
+-			 log_escape(frame, creds->account_name),
+-			 log_escape(frame, creds->computer_name));
+-		DBG_INFO("CVE-2020-1472(ZeroLogon): "
+-			 "Option 'server require schannel:%s = no' still needed!\n",
+-			 log_escape(frame, creds->account_name));
+		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ 	} else {
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+-			"%s request (opnum[%u]) without schannel from "
+-			"client_account[%s] client_computer_name[%s]\n",
+-			opname, opnum,
+-			log_escape(frame, creds->account_name),
+-			log_escape(frame, creds->computer_name));
+-		DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+-			"'server require schannel:%s = no' might be needed!\n",
+-			log_escape(frame, creds->account_name));
+		dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+	}
+
+	DEBUG(dbg_lvl, (
+	      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+	      "%s request (opnum[%u]) %s schannel from "
+	      "client_account[%s] client_computer_name[%s] %s\n",
+	      opname, opnum, reason,
+	      log_escape(frame, creds->account_name),
+	      log_escape(frame, creds->computer_name),
+	      nt_errstr(status)));
+
+	if (explicit_opt != NULL) {
+		D_INFO("CVE-2020-1472(ZeroLogon): Option "
+		       "'server require schannel:%s = no' "
+		       "still needed for '%s'!\n",
+		       log_escape(frame, creds->account_name),
+		       log_escape(frame, creds->computer_name));
+	} else {
+		/*
+		 * admins should set
+		 * server require schannel:COMPUTER$ = no
+		 * in order to avoid the level 0 messages.
+		 * Over time they can switch the global value
+		 * to be strict.
+		 */
+		DEBUG(CVE_2020_1472_error_level, (
+		      "CVE-2020-1472(ZeroLogon): "
+		      "Please use 'server require schannel:%s = no' "
+		      "for '%s' to avoid this warning!\n",
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name)));
+ 	}
+ 
+ 	*creds_out = creds;
+-- 
+2.39.0
--- a/backport-0033-CVE-2022-38023.patch
+++ b/backport-0033-CVE-2022-38023.patch
@ -0,0 +1,186 @@
+From 24d91b96790628ba864c67cca0b97b95ad7f9555 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 22 Dec 2022 11:42:51 +0100
+Subject: [PATCH 35/40] CVE-2022-38023 s3:rpc_server/netlogon: split out
+ netr_check_schannel() function
+
+This will allow us to reuse the function in other places.
+As it will also get some additional checks soon.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++--------
+ 1 file changed, 62 insertions(+), 45 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index c9401499a9b..b254ca72a48 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1063,53 +1063,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p,
+ /*************************************************************************
+  *************************************************************************/
+ 
+-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+-					     TALLOC_CTX *mem_ctx,
+-					     const char *computer_name,
+-					     struct netr_Authenticator *received_authenticator,
+-					     struct netr_Authenticator *return_authenticator,
+-					     struct netlogon_creds_CredentialState **creds_out)
+static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+				    const struct netlogon_creds_CredentialState *creds,
+				    enum dcerpc_AuthType auth_type,
+				    enum dcerpc_AuthLevel auth_level,
+				    uint16_t opnum)
+ {
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 	NTSTATUS status;
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 	bool schannel_required = schannel_global_required;
+ 	const char *explicit_opt = NULL;
+-	struct loadparm_context *lp_ctx;
+-	struct netlogon_creds_CredentialState *creds = NULL;
+-	int CVE_2020_1472_warn_level = DBGLVL_ERR;
+-	int CVE_2020_1472_error_level = DBGLVL_ERR;
+	int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+ 	unsigned int dbg_lvl = DBGLVL_DEBUG;
+-	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+-	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+-	uint16_t opnum = p->opnum;
+ 	const char *opname = "<unknown>";
+ 	const char *reason = "<unknown>";
+ 	static bool warned_global_once = false;
+ 
+-	if (creds_out != NULL) {
+-		*creds_out = NULL;
+-	}
+-
+ 	if (opnum < ndr_table_netlogon.num_calls) {
+ 		opname = ndr_table_netlogon.calls[opnum].name;
+ 	}
+ 
+-	auth_type = p->auth.auth_type;
+-	auth_level = p->auth.auth_level;
+-
+-	lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
+-	if (lp_ctx == NULL) {
+-		DEBUG(0, ("loadparm_init_s3 failed\n"));
+-		TALLOC_FREE(frame);
+-		return NT_STATUS_INTERNAL_ERROR;
+-	}
+-
+-	CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+-		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+-	CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+-		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+-
+ 	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ 		if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ 			reason = "WITH SEALED";
+@@ -1122,15 +1099,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		reason = "WITHOUT";
+ 	}
+ 
+-	status = schannel_check_creds_state(mem_ctx, lp_ctx,
+-					    computer_name, received_authenticator,
+-					    return_authenticator, &creds);
+-	if (!NT_STATUS_IS_OK(status)) {
+-		ZERO_STRUCTP(return_authenticator);
+-		TALLOC_FREE(frame);
+-		return status;
+-	}
+-
+ 	/*
+ 	 * We don't use lp_parm_bool(), as we
+ 	 * need the explicit_opt pointer in order to
+@@ -1171,7 +1139,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 			      log_escape(frame, creds->computer_name)));
+ 		}
+ 
+-		*creds_out = creds;
+ 		TALLOC_FREE(frame);
+ 		return status;
+ 	}
+@@ -1205,8 +1172,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 			      "might be needed for a legacy client.\n",
+ 			      log_escape(frame, creds->account_name)));
+ 		}
+-		TALLOC_FREE(creds);
+-		ZERO_STRUCTP(return_authenticator);
+ 		TALLOC_FREE(frame);
+ 		return status;
+ 	}
+@@ -1260,11 +1225,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+ 		      log_escape(frame, creds->computer_name)));
+ 	}
+ 
+-	*creds_out = creds;
+ 	TALLOC_FREE(frame);
+ 	return NT_STATUS_OK;
+ }
+ 
+static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+					     TALLOC_CTX *mem_ctx,
+					     const char *computer_name,
+					     struct netr_Authenticator *received_authenticator,
+					     struct netr_Authenticator *return_authenticator,
+					     struct netlogon_creds_CredentialState **creds_out)
+{
+	struct loadparm_context *lp_ctx = NULL;
+	NTSTATUS status;
+	struct netlogon_creds_CredentialState *creds = NULL;
+	enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+	enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
+	uint16_t opnum = p->opnum;
+
+	if (creds_out != NULL) {
+		*creds_out = NULL;
+	}
+
+	auth_type = p->auth.auth_type;
+	auth_level = p->auth.auth_level;
+
+	lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
+	if (lp_ctx == NULL) {
+		DEBUG(0, ("loadparm_init_s3 failed\n"));
+		return NT_STATUS_INTERNAL_ERROR;
+	}
+
+	status = schannel_check_creds_state(mem_ctx,
+					    lp_ctx,
+					    computer_name,
+					    received_authenticator,
+					    return_authenticator,
+					    &creds);
+	TALLOC_FREE(lp_ctx);
+	if (!NT_STATUS_IS_OK(status)) {
+		ZERO_STRUCTP(return_authenticator);
+		return status;
+	}
+
+	status = netr_check_schannel(p,
+				     creds,
+				     auth_type,
+				     auth_level,
+				     opnum);
+	if (!NT_STATUS_IS_OK(status)) {
+		TALLOC_FREE(creds);
+		ZERO_STRUCTP(return_authenticator);
+		return status;
+	}
+
+	*creds_out = creds;
+	return NT_STATUS_OK;
+}
+ 
+ /*************************************************************************
+  *************************************************************************/
+-- 
+2.39.0
--- a/backport-0034-CVE-2022-38023.patch
+++ b/backport-0034-CVE-2022-38023.patch
@ -0,0 +1,81 @@
+From ec1962e20deb4cbe95e861eb57107f08cb3a6de9 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Thu, 22 Dec 2022 09:29:04 +0100
+Subject: [PATCH 36/40] CVE-2022-38023 s3:rpc_server/netlogon: make sure all
+ dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel()
+
+We'll soon add some additional contraints in dcesrv_netr_check_schannel(),
+which are also required for dcesrv_netr_LogonSamLogonEx().
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++-----
+ 1 file changed, 23 insertions(+), 7 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index b254ca72a48..a66b929b479 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1771,6 +1771,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
+ 	struct auth_serversupplied_info *server_info = NULL;
+ 	struct auth_context *auth_context = NULL;
+ 	const char *fn;
+	enum dcerpc_AuthType auth_type = p->auth.auth_type;
+	enum dcerpc_AuthLevel auth_level = p->auth.auth_level;
+ 
+ #ifdef DEBUG_PASSWORD
+ 	logon = netlogon_creds_shallow_copy_logon(p->mem_ctx,
+@@ -1784,11 +1786,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p,
+ 	switch (p->opnum) {
+ 		case NDR_NETR_LOGONSAMLOGON:
+ 			fn = "_netr_LogonSamLogon";
+			/*
+			 * Already called netr_check_schannel() via
+			 * netr_creds_server_step_check()
+			 */
+ 			break;
+ 		case NDR_NETR_LOGONSAMLOGONWITHFLAGS:
+ 			fn = "_netr_LogonSamLogonWithFlags";
+			/*
+			 * Already called netr_check_schannel() via
+			 * netr_creds_server_step_check()
+			 */
+ 			break;
+ 		case NDR_NETR_LOGONSAMLOGONEX:
+			if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+				return NT_STATUS_ACCESS_DENIED;
+			}
+
+			status = netr_check_schannel(p,
+						     creds,
+						     auth_type,
+						     auth_level,
+						     p->opnum);
+			if (NT_STATUS_IS_ERR(status)) {
+				return status;
+			}
+
+ 			fn = "_netr_LogonSamLogonEx";
+ 			break;
+ 		default:
+@@ -2130,13 +2153,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+-	/* Only allow this if the pipe is protected. */
+-	if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
+-		DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n",
+-			get_remote_machine_name() ));
+-		return NT_STATUS_INVALID_PARAMETER;
+-        }
+-
+ 	lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers());
+ 	if (lp_ctx == NULL) {
+ 		DEBUG(0, ("loadparm_init_s3 failed\n"));
+-- 
+2.39.0
--- a/backport-0035-CVE-2022-38023.patch
+++ b/backport-0035-CVE-2022-38023.patch
@ -0,0 +1,92 @@
+From e46fdd96cf0cea2415e7dfd49d7f204c53bac762 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 4 Jan 2023 17:23:41 +0100
+Subject: [PATCH 37/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable
+
+This will simplify the following changes.
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index a66b929b479..b7c8e2c928e 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1071,9 +1071,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ {
+ 	TALLOC_CTX *frame = talloc_stackframe();
+ 	NTSTATUS status;
+	const char *explicit_opt = NULL;
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 	bool schannel_required = schannel_global_required;
+-	const char *explicit_opt = NULL;
+	bool schannel_explicitly_set = false;
+ 	int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+ 		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ 	int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+@@ -1112,11 +1113,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	if (explicit_opt != NULL) {
+ 		schannel_required = lp_bool(explicit_opt);
+ 	}
+	schannel_explicitly_set = explicit_opt != NULL;
+ 
+ 	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ 		status = NT_STATUS_OK;
+ 
+-		if (explicit_opt != NULL && !schannel_required) {
+		if (schannel_explicitly_set && !schannel_required) {
+ 			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ 		} else if (!schannel_required) {
+ 			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+@@ -1131,7 +1133,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		      log_escape(frame, creds->computer_name),
+ 		      nt_errstr(status)));
+ 
+-		if (explicit_opt != NULL && !schannel_required) {
+		if (schannel_explicitly_set && !schannel_required) {
+ 			DEBUG(CVE_2020_1472_warn_level, (
+ 			      "CVE-2020-1472(ZeroLogon): "
+ 			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+@@ -1146,7 +1148,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	if (schannel_required) {
+ 		status = NT_STATUS_ACCESS_DENIED;
+ 
+-		if (explicit_opt != NULL) {
+		if (schannel_explicitly_set) {
+ 			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+ 		} else {
+ 			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+@@ -1160,7 +1162,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		      log_escape(frame, creds->account_name),
+ 		      log_escape(frame, creds->computer_name),
+ 		      nt_errstr(status)));
+-		if (explicit_opt != NULL) {
+		if (schannel_explicitly_set) {
+ 			D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
+ 				"'server require schannel:%s = yes' "
+ 				"rejects access for client.\n",
+@@ -1188,7 +1190,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 
+ 	status = NT_STATUS_OK;
+ 
+-	if (explicit_opt != NULL) {
+	if (schannel_explicitly_set) {
+ 		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ 	} else {
+ 		dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+@@ -1203,7 +1205,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	      log_escape(frame, creds->computer_name),
+ 	      nt_errstr(status)));
+ 
+-	if (explicit_opt != NULL) {
+	if (schannel_explicitly_set) {
+ 		D_INFO("CVE-2020-1472(ZeroLogon): Option "
+ 		       "'server require schannel:%s = no' "
+ 		       "still needed for '%s'!\n",
+-- 
+2.39.0
--- a/backport-0036-CVE-2022-38023.patch
+++ b/backport-0036-CVE-2022-38023.patch
@ -0,0 +1,62 @@
+From b0ecb8aebf814b339afe1d2843ef53ece5cb4c9d Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 4 Jan 2023 17:39:20 +0100
+Subject: [PATCH 38/40] CVE-2022-38023 s3:rpc_server/netlogon: Return error on
+ invalid auth level
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++--
+ 1 file changed, 21 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index b7c8e2c928e..5f89e945f9c 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1070,7 +1070,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 				    uint16_t opnum)
+ {
+ 	TALLOC_CTX *frame = talloc_stackframe();
+-	NTSTATUS status;
+	NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED;
+ 	const char *explicit_opt = NULL;
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 	bool schannel_required = schannel_global_required;
+@@ -1094,12 +1094,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		} else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ 			reason = "WITH SIGNED";
+ 		} else {
+-			smb_panic("Schannel without SIGN/SEAL");
+			reason = "WITH INVALID";
+			dbg_lvl = DBGLVL_ERR;
+			status = NT_STATUS_INTERNAL_ERROR;
+ 		}
+ 	} else {
+ 		reason = "WITHOUT";
+ 	}
+ 
+	if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		if (!NT_STATUS_IS_OK(status)) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(status)));
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+ 	/*
+ 	 * We don't use lp_parm_bool(), as we
+ 	 * need the explicit_opt pointer in order to
+-- 
+2.39.0
--- a/backport-0037-CVE-2022-38023.patch
+++ b/backport-0037-CVE-2022-38023.patch
@ -0,0 +1,47 @@
+From 037606c112ae4d1025708d2d12898e73359f0c54 Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 4 Jan 2023 17:42:37 +0100
+Subject: [PATCH 39/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable
+
+This will simplify the following changes.
+
+Signed-off-by: Samuel Cabrero <scabrero@samba.org>
+
+Conflict: NA
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index 5f89e945f9c..f238d7ce42b 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1082,7 +1082,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	unsigned int dbg_lvl = DBGLVL_DEBUG;
+ 	const char *opname = "<unknown>";
+ 	const char *reason = "<unknown>";
+-	static bool warned_global_once = false;
+	static bool warned_global_schannel_once = false;
+ 
+ 	if (opnum < ndr_table_netlogon.num_calls) {
+ 		opname = ndr_table_netlogon.calls[opnum].name;
+@@ -1197,14 +1197,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+-	if (!schannel_global_required && !warned_global_once) {
+	if (!schannel_global_required && !warned_global_schannel_once) {
+ 		/*
+ 		 * We want admins to notice their misconfiguration!
+ 		 */
+ 		DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ 			"Please configure 'server schannel = yes', "
+ 			"See https://bugzilla.samba.org/show_bug.cgi?id=14497\n");
+-		warned_global_once = true;
+		warned_global_schannel_once = true;
+ 	}
+ 
+ 	status = NT_STATUS_OK;
+-- 
+2.39.0
--- a/backport-0038-CVE-2022-38023.patch
+++ b/backport-0038-CVE-2022-38023.patch
@ -0,0 +1,354 @@
+From fba17d9f8e6437fc675608c0507d6a00f830aaea Mon Sep 17 00:00:00 2001
+From: Samuel Cabrero <scabrero@suse.de>
+Date: Wed, 4 Jan 2023 17:50:04 +0100
+Subject: [PATCH 40/40] CVE-2022-38023 s3:rpc_server/netlogon: implement
+ "server schannel require seal[:COMPUTERACCOUNT]"
+
+By default we'll now require schannel connections with
+privacy/sealing/encryption.
+
+But we allow exceptions for specific computer/trust accounts.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
+
+Signed-off-by: Samuel Cabrero <scabrero@suse.de>
+
+Conflict: remove selftest/target/Samba3.pm
+Reference: https://attachments.samba.org/attachment.cgi?id=17736
+---
+ selftest/target/Samba3.pm                   |  14 ++
+ source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++-
+ 2 files changed, 249 insertions(+), 2 deletions(-)
+
+diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
+index f238d7ce42b..df305e94479 100644
+--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
+@@ -1075,14 +1075,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	bool schannel_global_required = (lp_server_schannel() == true) ? true:false;
+ 	bool schannel_required = schannel_global_required;
+ 	bool schannel_explicitly_set = false;
+	bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false;
+	bool seal_required = seal_global_required;
+	bool seal_explicitly_set = false;
+ 	int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+ 		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ 	int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+ 		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+		"CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM,
+		"CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
+ 	unsigned int dbg_lvl = DBGLVL_DEBUG;
+ 	const char *opname = "<unknown>";
+ 	const char *reason = "<unknown>";
+ 	static bool warned_global_schannel_once = false;
+	static bool warned_global_seal_once = false;
+ 
+ 	if (opnum < ndr_table_netlogon.num_calls) {
+ 		opname = ndr_table_netlogon.calls[opnum].name;
+@@ -1119,6 +1127,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		return status;
+ 	}
+ 
+	/*
+	 * We don't use lp_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+	explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
+					    "server schannel require seal",
+					    creds->account_name,
+					    NULL);
+	if (explicit_opt != NULL) {
+		seal_required = lp_bool(explicit_opt);
+	}
+	seal_explicitly_set = explicit_opt != NULL;
+
+ 	/*
+ 	 * We don't use lp_parm_bool(), as we
+ 	 * need the explicit_opt pointer in order to
+@@ -1134,7 +1156,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	}
+ 	schannel_explicitly_set = explicit_opt != NULL;
+ 
+	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+	    auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+	{
+		status = NT_STATUS_OK;
+
+		if (schannel_explicitly_set && !schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+		if (seal_explicitly_set && !seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+		} else if (!seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(status)));
+
+		if (schannel_explicitly_set && !schannel_required) {
+			DEBUG(CVE_2020_1472_warn_level, (
+			      "CVE-2020-1472(ZeroLogon): "
+			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		if (seal_explicitly_set && !seal_required) {
+			DEBUG(CVE_2022_38023_warn_level, (
+			      "CVE-2022-38023: "
+			      "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+ 	if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (seal_required) {
+			status = NT_STATUS_ACCESS_DENIED;
+
+			if (seal_explicitly_set) {
+				dbg_lvl = DBGLVL_NOTICE;
+			} else {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+			}
+			if (schannel_explicitly_set && !schannel_required) {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+			}
+
+			DEBUG(dbg_lvl, (
+			      "CVE-2022-38023: "
+			      "%s request (opnum[%u]) %s schannel from "
+			      "from client_account[%s] client_computer_name[%s] %s\n",
+			      opname, opnum, reason,
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name),
+			      nt_errstr(status)));
+			if (seal_explicitly_set) {
+				D_NOTICE("CVE-2022-38023: Option "
+					 "'server schannel require seal:%s = yes' "
+					 "rejects access for client.\n",
+					 log_escape(frame, creds->account_name));
+			} else {
+				DEBUG(CVE_2020_1472_error_level, (
+				      "CVE-2022-38023: Check if option "
+				      "'server schannel require seal:%s = no' "
+				      "might be needed for a legacy client.\n",
+				      log_escape(frame, creds->account_name)));
+			}
+			if (schannel_explicitly_set && !schannel_required) {
+				DEBUG(CVE_2020_1472_warn_level, (
+				      "CVE-2020-1472(ZeroLogon): Option "
+				      "'server require schannel:%s = no' "
+				      "not needed for '%s'!\n",
+				      log_escape(frame, creds->account_name),
+				      log_escape(frame, creds->computer_name)));
+			}
+			TALLOC_FREE(frame);
+			return status;
+		}
+
+ 		status = NT_STATUS_OK;
+ 
+ 		if (schannel_explicitly_set && !schannel_required) {
+@@ -1142,6 +1253,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		} else if (!schannel_required) {
+ 			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ 		}
+		if (seal_explicitly_set && !seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		} else if (!seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+ 
+ 		DEBUG(dbg_lvl, (
+ 		      "CVE-2020-1472(ZeroLogon): "
+@@ -1151,7 +1267,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		      log_escape(frame, creds->account_name),
+ 		      log_escape(frame, creds->computer_name),
+ 		      nt_errstr(status)));
+-
+ 		if (schannel_explicitly_set && !schannel_required) {
+ 			DEBUG(CVE_2020_1472_warn_level, (
+ 			      "CVE-2020-1472(ZeroLogon): "
+@@ -1159,7 +1274,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 			      log_escape(frame, creds->account_name),
+ 			      log_escape(frame, creds->computer_name)));
+ 		}
+		if (seal_explicitly_set && !seal_required) {
+			D_INFO("CVE-2022-38023: "
+			       "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
+			       log_escape(frame, creds->account_name),
+			       log_escape(frame, creds->computer_name));
+		} else if (!seal_required) {
+			/*
+			 * admins should set
+			 * server schannel require seal:COMPUTER$ = no
+			 * in order to avoid the level 0 messages.
+			 * Over time they can switch the global value
+			 * to be strict.
+			 */
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: "
+			      "Please use 'server schannel require seal:%s = no' "
+			      "for '%s' to avoid this warning!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		TALLOC_FREE(frame);
+		return status;
+	}
+
+	if (seal_required) {
+		status = NT_STATUS_ACCESS_DENIED;
+ 
+		if (seal_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		} else {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+		if (!schannel_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+		} else if (schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "from client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(status)));
+		if (seal_explicitly_set) {
+			D_NOTICE("CVE-2022-38023: Option "
+			         "'server schannel require seal:%s = yes' "
+			         "rejects access for client.\n",
+			         log_escape(frame, creds->account_name));
+		} else {
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: Check if option "
+			      "'server schannel require seal:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+		if (!schannel_explicitly_set) {
+			DEBUG(CVE_2020_1472_error_level, (
+			      "CVE-2020-1472(ZeroLogon): Check if option "
+			      "'server require schannel:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		} else if (schannel_required) {
+			D_NOTICE("CVE-2022-38023: Option "
+			         "'server require schannel:%s = yes' "
+			         "also rejects access for client.\n",
+			         log_escape(frame, creds->account_name));
+		}
+ 		TALLOC_FREE(frame);
+ 		return status;
+ 	}
+@@ -1172,6 +1357,9 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		} else {
+ 			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ 		}
+		if (!seal_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+ 
+ 		DEBUG(dbg_lvl, (
+ 		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+@@ -1193,6 +1381,13 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 			      "might be needed for a legacy client.\n",
+ 			      log_escape(frame, creds->account_name)));
+ 		}
+		if (!seal_explicitly_set) {
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: Check if option "
+			      "'server schannel require seal:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+ 		TALLOC_FREE(frame);
+ 		return status;
+ 	}
+@@ -1207,8 +1402,24 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 		warned_global_schannel_once = true;
+ 	}
+ 
+	if (!seal_global_required && !warned_global_seal_once) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-38023 (and others): "
+			"Please configure 'server schannel require seal = yes' (the default), "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_seal_once = true;
+	}
+
+ 	status = NT_STATUS_OK;
+ 
+	if (seal_explicitly_set) {
+		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+	} else {
+		dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+	}
+
+ 	if (schannel_explicitly_set) {
+ 		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+ 	} else {
+@@ -1224,6 +1435,28 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	      log_escape(frame, creds->computer_name),
+ 	      nt_errstr(status)));
+ 
+	if (seal_explicitly_set) {
+		D_INFO("CVE-2022-38023: Option "
+		       "'server schannel require seal:%s = no' "
+		       "still needed for '%s'!\n",
+		       log_escape(frame, creds->account_name),
+		       log_escape(frame, creds->computer_name));
+	} else {
+		/*
+		 * admins should set
+		 * server schannel require seal:COMPUTER$ = no
+		 * in order to avoid the level 0 messages.
+		 * Over time they can switch the global value
+		 * to be strict.
+		 */
+		DEBUG(CVE_2022_38023_error_level, (
+		      "CVE-2022-38023: Please use "
+		       "'server schannel require seal:%s = no' "
+		      "for '%s' to avoid this warning!\n",
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name)));
+	}
+
+ 	if (schannel_explicitly_set) {
+ 		D_INFO("CVE-2020-1472(ZeroLogon): Option "
+ 		       "'server require schannel:%s = no' "
+@@ -1247,7 +1480,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p,
+ 	}
+ 
+ 	TALLOC_FREE(frame);
+-	return NT_STATUS_OK;
+	return status;
+ }
+ 
+ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
+-- 
+2.39.0
--- a/samba.spec
+++ b/samba.spec
@ -49,7 +49,7 @@

 Name:           samba
 Version:        4.11.12
-Release:        24
+Release:        25

 Summary:        A suite for Linux to interoperate with Windows
 License:        GPLv3+ and LGPLv3+
@ -329,6 +329,15 @@ Patch6399:       backport-0026-CVE-2022-38023.patch
 Patch6400:       backport-0027-CVE-2022-38023.patch
 Patch6401:       backport-0028-CVE-2022-38023.patch
 Patch6402:       backport-0029-CVE-2022-38023.patch
+Patch6403:       backport-0030-CVE-2022-38023.patch
+Patch6404:       backport-0031-CVE-2022-38023.patch
+Patch6405:       backport-0032-CVE-2022-38023.patch
+Patch6406:       backport-0033-CVE-2022-38023.patch
+Patch6407:       backport-0034-CVE-2022-38023.patch
+Patch6408:       backport-0035-CVE-2022-38023.patch
+Patch6409:       backport-0036-CVE-2022-38023.patch
+Patch6410:       backport-0037-CVE-2022-38023.patch
+Patch6411:       backport-0038-CVE-2022-38023.patch


 BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel
@ -3387,6 +3396,12 @@ fi
 %{_mandir}/man*

 %changelog
+* Mon Apr 03 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-25
+- Type:cves
+- CVE:CVE-2022-38023
+- SUG:NA
+- DESC:add patch for fix CVE-2022-38023
+
 * Wed Jan 18 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-24
 - Type:cves
 - CVE:CVE-2022-38023