mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
By default we'll now require schannel connections with privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a0b97e2623
)
This commit is contained in:
parent
7f4f9a3277
commit
5590057775
@ -2895,7 +2895,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
||||
struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
|
||||
int schannel = lpcfg_server_schannel(lp_ctx);
|
||||
bool schannel_global_required = (schannel == true);
|
||||
bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
|
||||
static bool warned_global_schannel_once = false;
|
||||
static bool warned_global_seal_once = false;
|
||||
|
||||
if (!schannel_global_required && !warned_global_schannel_once) {
|
||||
/*
|
||||
@ -2907,6 +2909,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
||||
warned_global_schannel_once = true;
|
||||
}
|
||||
|
||||
if (!global_require_seal && !warned_global_seal_once) {
|
||||
/*
|
||||
* We want admins to notice their misconfiguration!
|
||||
*/
|
||||
D_ERR("CVE-2022-38023 (and others): "
|
||||
"Please configure 'server schannel require seal = yes' (the default), "
|
||||
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
||||
warned_global_seal_once = true;
|
||||
}
|
||||
|
||||
return NT_STATUS_OK;
|
||||
}
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user