From 7ae3735810c2db32fa50f309f8af3c76ffa29768 Mon Sep 17 00:00:00 2001 From: Stefan Metzmacher Date: Wed, 30 Nov 2022 14:57:20 +0100 Subject: [PATCH] CVE-2022-38023 selftest:Samba4: avoid global 'allow nt4 crypto = yes' and 'reject md5 clients = no' Instead of using the generic deprecated option use the specific allow nt4 crypto:COMPUTERACCOUNT = yes and server reject md5 schannel:COMPUTERACCOUNT = no in order to allow legacy tests for pass. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher Reviewed-by: Andrew Bartlett Reviewed-by: Ralph Boehme --- selftest/target/Samba4.pm | 60 ++++++++++++++++++++++++++++++++++----- 1 file changed, 53 insertions(+), 7 deletions(-) diff --git a/selftest/target/Samba4.pm b/selftest/target/Samba4.pm index 182b9f2fb26..fd69cdf96a3 100755 --- a/selftest/target/Samba4.pm +++ b/selftest/target/Samba4.pm @@ -1610,7 +1610,6 @@ sub provision_ad_dc_ntvfs($$$) my $extra_conf_options = "netbios aliases = localDC1-a server services = +winbind -winbindd ldap server require strong auth = allow_sasl_over_tls - allow nt4 crypto = yes raw NTLMv2 auth = yes lsa over netlogon = yes rpc server port = 1027 @@ -1622,9 +1621,19 @@ sub provision_ad_dc_ntvfs($$$) client min protocol = CORE server min protocol = LANMAN1 - reject md5 clients = no - CVE_2020_1472:warn_about_unused_debug_level = 3 + CVE_2022_38023:warn_about_unused_debug_level = 3 + allow nt4 crypto:torturetest\$ = yes + server reject md5 schannel:schannel2\$ = no + server reject md5 schannel:schannel3\$ = no + server reject md5 schannel:schannel8\$ = no + server reject md5 schannel:schannel9\$ = no + server reject md5 schannel:torturetest\$ = no + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no server require schannel:schannel2\$ = no @@ -1679,6 +1688,13 @@ sub provision_fl2000dc($$) kdc enable fast = no spnego:simulate_w2k=yes ntlmssp_server:force_old_spnego=yes + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no "; my $extra_provision_options = ["--base-schema=2008_R2"]; # This environment uses plain text secrets @@ -1719,11 +1735,23 @@ sub provision_fl2003dc($$$) my $ip_addr2 = Samba::get_ipv6_addr("fakednsforwarder2"); print "PROVISIONING DC WITH FOREST LEVEL 2003...\n"; - my $extra_conf_options = "allow dns updates = nonsecure and secure + my $extra_conf_options = " + allow dns updates = nonsecure and secure + kdc enable fast = no dcesrv:header signing = no dcesrv:max auth states = 0 - dns forwarder = $ip_addr1 [$ip_addr2]:54"; + + dns forwarder = $ip_addr1 [$ip_addr2]:54 + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no +"; + my $extra_provision_options = ["--base-schema=2008_R2"]; my $ret = $self->provision($prefix, "domain controller", @@ -1778,6 +1806,13 @@ sub provision_fl2008r2dc($$$) ldap server require strong auth = no # delay by 10 seconds, 10^7 usecs ldap_server:delay_expire_disconnect = 10000 + + CVE_2022_38023:warn_about_unused_debug_level = 3 + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no "; my $extra_provision_options = ["--base-schema=2008_R2"]; my $ret = $self->provision($prefix, @@ -1989,9 +2024,20 @@ sub provision_ad_dc($$$$$$$) lpq cache time = 0 print notify backchannel = yes - reject md5 clients = no - CVE_2020_1472:warn_about_unused_debug_level = 3 + CVE_2022_38023:warn_about_unused_debug_level = 3 + CVE_2022_38023:error_debug_level = 2 + server reject md5 schannel:schannel2\$ = no + server reject md5 schannel:schannel3\$ = no + server reject md5 schannel:schannel8\$ = no + server reject md5 schannel:schannel9\$ = no + server reject md5 schannel:torturetest\$ = no + server reject md5 schannel:tests4u2proxywk\$ = no + server reject md5 schannel:tests4u2selfbdc\$ = no + server reject md5 schannel:tests4u2selfwk\$ = no + server reject md5 schannel:torturepacbdc\$ = no + server reject md5 schannel:torturepacwksta\$ = no + server reject md5 schannel:samlogontest\$ = no server require schannel:schannel0\$ = no server require schannel:schannel1\$ = no server require schannel:schannel2\$ = no