132 lines
4.8 KiB
Diff
132 lines
4.8 KiB
Diff
From ae1f4644245237fe76bb162af8e95c42903e4eca Mon Sep 17 00:00:00 2001
|
|
From: Stefan Metzmacher <metze@samba.org>
|
|
Date: Wed, 30 Nov 2022 14:47:33 +0100
|
|
Subject: [PATCH 04/29] CVE-2022-38023 libcli/auth: add/use
|
|
netlogon_creds_cli_warn_options()
|
|
|
|
This warns the admin about insecure options
|
|
|
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
|
|
|
|
Signed-off-by: Stefan Metzmacher <metze@samba.org>
|
|
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
|
|
Reviewed-by: Ralph Boehme <slow@samba.org>
|
|
|
|
(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
|
|
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
|
|
getpid()]
|
|
|
|
Conflict: NA
|
|
Reference: https://attachments.samba.org/attachment.cgi?id=17698
|
|
---
|
|
libcli/auth/netlogon_creds_cli.c | 66 ++++++++++++++++++++++++++++++++
|
|
libcli/auth/netlogon_creds_cli.h | 2 +
|
|
2 files changed, 68 insertions(+)
|
|
|
|
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
|
|
index f8b7bc2133ed..3c3908ea735b 100644
|
|
--- a/libcli/auth/netlogon_creds_cli.c
|
|
+++ b/libcli/auth/netlogon_creds_cli.c
|
|
@@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db;
|
|
NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
|
|
struct db_context **db)
|
|
{
|
|
+ netlogon_creds_cli_warn_options(lp_ctx);
|
|
+
|
|
if (netlogon_creds_cli_global_db != NULL) {
|
|
return NT_STATUS_INVALID_PARAMETER_MIX;
|
|
}
|
|
@@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
|
|
struct db_context *global_db;
|
|
int hash_size, tdb_flags;
|
|
|
|
+ netlogon_creds_cli_warn_options(lp_ctx);
|
|
+
|
|
if (netlogon_creds_cli_global_db != NULL) {
|
|
return NT_STATUS_OK;
|
|
}
|
|
@@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void)
|
|
TALLOC_FREE(netlogon_creds_cli_global_db);
|
|
}
|
|
|
|
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
|
|
+{
|
|
+ bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
|
|
+ bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
|
|
+ int global_client_schannel = lpcfg_client_schannel(lp_ctx);
|
|
+ bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
|
|
+ static bool warned_global_reject_md5_servers = false;
|
|
+ static bool warned_global_require_strong_key = false;
|
|
+ static bool warned_global_client_schannel = false;
|
|
+ static bool warned_global_seal_secure_channel = false;
|
|
+ static int warned_global_pid = 0;
|
|
+ int current_pid = getpid();
|
|
+
|
|
+ if (warned_global_pid != current_pid) {
|
|
+ warned_global_reject_md5_servers = false;
|
|
+ warned_global_require_strong_key = false;
|
|
+ warned_global_client_schannel = false;
|
|
+ warned_global_seal_secure_channel = false;
|
|
+ warned_global_pid = current_pid;
|
|
+ }
|
|
+
|
|
+ if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
+ "Please configure 'reject md5 servers = yes' (the default), "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
+ warned_global_reject_md5_servers = true;
|
|
+ }
|
|
+
|
|
+ if (!global_require_strong_key && !warned_global_require_strong_key) {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
+ "Please configure 'require strong key = yes' (the default), "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
+ warned_global_require_strong_key = true;
|
|
+ }
|
|
+
|
|
+ if (global_client_schannel != true && !warned_global_client_schannel) {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
+ "Please configure 'client schannel = yes' (the default), "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
+ warned_global_client_schannel = true;
|
|
+ }
|
|
+
|
|
+ if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
|
|
+ /*
|
|
+ * We want admins to notice their misconfiguration!
|
|
+ */
|
|
+ DBG_ERR("CVE-2022-38023 (and others): "
|
|
+ "Please configure 'winbind sealed pipes = yes' (the default), "
|
|
+ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
|
+ warned_global_seal_secure_channel = true;
|
|
+ }
|
|
+}
|
|
+
|
|
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
struct messaging_context *msg_ctx,
|
|
const char *client_account,
|
|
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
|
|
index 3e401dabe9c3..fed3e77fa58a 100644
|
|
--- a/libcli/auth/netlogon_creds_cli.h
|
|
+++ b/libcli/auth/netlogon_creds_cli.h
|
|
@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
|
|
NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
|
|
void netlogon_creds_cli_close_global_db(void);
|
|
|
|
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
|
|
+
|
|
NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
|
|
struct messaging_context *msg_ctx,
|
|
const char *client_account,
|
|
--
|
|
2.34.1
|