packages/samba
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
samba/backport-0032-CVE-2022-38023.patch
xinghe c24b46a73b add patch for fix CVE-2022-38023
2023-04-03 09:21:42 +00:00

230 lines
8.1 KiB
Diff
Raw Blame History

From 4e9f73ed47739f66fbf330d1f6ddb738b749395a Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 11:35:57 +0100
Subject: [PATCH 33/40] CVE-2022-38023 s3:rpc_server/netlogon: improve
CVE-2020-1472(ZeroLogon) debug messages
In order to avoid generating useless debug messages during make test,
we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3'
and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings.
Review with: git show -w
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Conflict: NA
Reference: https://attachments.samba.org/attachment.cgi?id=17736
---
source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------
1 file changed, 109 insertions(+), 40 deletions(-)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index ba73fe3fa58..c9401499a9b 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -1077,9 +1077,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
const char *explicit_opt = NULL;
struct loadparm_context *lp_ctx;
struct netlogon_creds_CredentialState *creds = NULL;
+ int CVE_2020_1472_warn_level = DBGLVL_ERR;
+ int CVE_2020_1472_error_level = DBGLVL_ERR;
+ unsigned int dbg_lvl = DBGLVL_DEBUG;
enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE;
uint16_t opnum = p->opnum;
const char *opname = "<unknown>";
+ const char *reason = "<unknown>";
static bool warned_global_once = false;
if (creds_out != NULL) {
@@ -1091,6 +1096,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
}
auth_type = p->auth.auth_type;
+ auth_level = p->auth.auth_level;
lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers());
if (lp_ctx == NULL) {
@@ -1099,6 +1105,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
return NT_STATUS_INTERNAL_ERROR;
}
+ CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+ CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+ reason = "WITH SEALED";
+ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+ reason = "WITH SIGNED";
+ } else {
+ smb_panic("Schannel without SIGN/SEAL");
+ }
+ } else {
+ reason = "WITHOUT";
+ }
+
status = schannel_check_creds_state(mem_ctx, lp_ctx,
computer_name, received_authenticator,
return_authenticator, &creds);
@@ -1123,40 +1146,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
}
if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
- if (!schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) WITH schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
+ status = NT_STATUS_OK;
+
+ if (explicit_opt != NULL && !schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+ } else if (!schannel_required) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
}
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(status)));
+
if (explicit_opt != NULL && !schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "Option 'server require schannel:%s = no' not needed!?\n",
- log_escape(frame, creds->account_name));
+ DEBUG(CVE_2020_1472_warn_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
}
*creds_out = creds;
TALLOC_FREE(frame);
- return NT_STATUS_OK;
+ return status;
}
if (schannel_required) {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
- "'server require schannel:%s = no' "
- "might be needed for a legacy client.\n",
- log_escape(frame, creds->account_name));
+ status = NT_STATUS_ACCESS_DENIED;
+
+ if (explicit_opt != NULL) {
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+ } else {
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(status)));
+ if (explicit_opt != NULL) {
+ D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = yes' "
+ "rejects access for client.\n",
+ log_escape(frame, creds->account_name));
+ } else {
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2020-1472(ZeroLogon): Check if option "
+ "'server require schannel:%s = no' "
+ "might be needed for a legacy client.\n",
+ log_escape(frame, creds->account_name)));
+ }
TALLOC_FREE(creds);
ZERO_STRUCTP(return_authenticator);
TALLOC_FREE(frame);
- return NT_STATUS_ACCESS_DENIED;
+ return status;
}
if (!schannel_global_required && !warned_global_once) {
@@ -1169,26 +1221,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p,
warned_global_once = true;
}
+ status = NT_STATUS_OK;
+
if (explicit_opt != NULL) {
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_INFO("CVE-2020-1472(ZeroLogon): "
- "Option 'server require schannel:%s = no' still needed!\n",
- log_escape(frame, creds->account_name));
+ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
} else {
- DBG_ERR("CVE-2020-1472(ZeroLogon): "
- "%s request (opnum[%u]) without schannel from "
- "client_account[%s] client_computer_name[%s]\n",
- opname, opnum,
- log_escape(frame, creds->account_name),
- log_escape(frame, creds->computer_name));
- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
- "'server require schannel:%s = no' might be needed!\n",
- log_escape(frame, creds->account_name));
+ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+ }
+
+ DEBUG(dbg_lvl, (
+ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+ "%s request (opnum[%u]) %s schannel from "
+ "client_account[%s] client_computer_name[%s] %s\n",
+ opname, opnum, reason,
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name),
+ nt_errstr(status)));
+
+ if (explicit_opt != NULL) {
+ D_INFO("CVE-2020-1472(ZeroLogon): Option "
+ "'server require schannel:%s = no' "
+ "still needed for '%s'!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name));
+ } else {
+ /*
+ * admins should set
+ * server require schannel:COMPUTER$ = no
+ * in order to avoid the level 0 messages.
+ * Over time they can switch the global value
+ * to be strict.
+ */
+ DEBUG(CVE_2020_1472_error_level, (
+ "CVE-2020-1472(ZeroLogon): "
+ "Please use 'server require schannel:%s = no' "
+ "for '%s' to avoid this warning!\n",
+ log_escape(frame, creds->account_name),
+ log_escape(frame, creds->computer_name)));
}
*creds_out = creds;
--
2.39.0
Reference in New Issue View Git Blame Copy Permalink