sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-03-12 20:58:37 +03:00
Code

CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"

Browse Source 
By default we'll now require schannel connections with privacy/sealing/encryption.

But we allow exceptions for specific computer/trust accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
This commit is contained in:
Samuel Cabrero 2022-12-22 11:05:33 +01:00 committed by Andreas Schneider
parent ca07f4340c
commit a0b97e2623
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
source3/rpc_server/netlogon/srv_netlog_nt.c
View File

@ -2893,7 +2893,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
int schannel = lpcfg_server_schannel(lp_ctx);
bool schannel_global_required = (schannel == true);
bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
static bool warned_global_schannel_once = false;
static bool warned_global_seal_once = false;
if (!schannel_global_required && !warned_global_schannel_once) {
/*
@ -2905,6 +2907,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
warned_global_schannel_once = true;
}
if (!global_require_seal && !warned_global_seal_once) {
/*
* We want admins to notice their misconfiguration!
*/
D_ERR("CVE-2022-38023 (and others): "
"Please configure 'server schannel require seal = yes' (the default), "
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
warned_global_seal_once = true;
}
return NT_STATUS_OK;
}