From a0b97e262318dc56fe663da89b0ee3172b2e7848 Mon Sep 17 00:00:00 2001
From: Samuel Cabrero <scabrero@suse.de>
Date: Thu, 22 Dec 2022 11:05:33 +0100
Subject: [PATCH] CVE-2022-38023 s3:rpc_server/netlogon: Check for global
 "server schannel require seal"

By default we'll now require schannel connections with privacy/sealing/encryption.

But we allow exceptions for specific computer/trust accounts.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
---
 source3/rpc_server/netlogon/srv_netlog_nt.c | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c
index 42e0eb2cea2..63ad9ac513f 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -2893,7 +2893,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
 	struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx;
 	int schannel = lpcfg_server_schannel(lp_ctx);
 	bool schannel_global_required = (schannel == true);
+	bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
 	static bool warned_global_schannel_once = false;
+	static bool warned_global_seal_once = false;
 
 	if (!schannel_global_required && !warned_global_schannel_once) {
 		/*
@@ -2905,6 +2907,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
 		warned_global_schannel_once = true;
 	}
 
+	if (!global_require_seal && !warned_global_seal_once) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		D_ERR("CVE-2022-38023 (and others): "
+		      "Please configure 'server schannel require seal = yes' (the default), "
+		      "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_seal_once = true;
+	}
+
 	return NT_STATUS_OK;
 }