mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-38023 s4:rpc_server/netlogon: implement "server schannel require seal[:COMPUTERACCOUNT]"
By default we'll now require schannel connections with privacy/sealing/encryption. But we allow exceptions for specific computer/trust accounts. BUG: https://bugzilla.samba.org/show_bug.cgi?id=15260 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
This commit is contained in:
parent
3c57608e11
commit
b3ed90a054
@ -1647,9 +1647,23 @@ sub provision_ad_dc_ntvfs($$$)
|
||||
server require schannel:schannel10\$ = no
|
||||
server require schannel:schannel11\$ = no
|
||||
server require schannel:torturetest\$ = no
|
||||
server schannel require seal:schannel0\$ = no
|
||||
server schannel require seal:schannel1\$ = no
|
||||
server schannel require seal:schannel2\$ = no
|
||||
server schannel require seal:schannel3\$ = no
|
||||
server schannel require seal:schannel4\$ = no
|
||||
server schannel require seal:schannel5\$ = no
|
||||
server schannel require seal:schannel6\$ = no
|
||||
server schannel require seal:schannel7\$ = no
|
||||
server schannel require seal:schannel8\$ = no
|
||||
server schannel require seal:schannel9\$ = no
|
||||
server schannel require seal:schannel10\$ = no
|
||||
server schannel require seal:schannel11\$ = no
|
||||
server schannel require seal:torturetest\$ = no
|
||||
|
||||
# needed for 'samba.tests.auth_log' tests
|
||||
server require schannel:LOCALDC\$ = no
|
||||
server schannel require seal:LOCALDC\$ = no
|
||||
";
|
||||
push (@{$extra_provision_options}, "--use-ntvfs");
|
||||
my $ret = $self->provision($prefix,
|
||||
@ -2051,6 +2065,19 @@ sub provision_ad_dc($$$$$$$)
|
||||
server require schannel:schannel10\$ = no
|
||||
server require schannel:schannel11\$ = no
|
||||
server require schannel:torturetest\$ = no
|
||||
server schannel require seal:schannel0\$ = no
|
||||
server schannel require seal:schannel1\$ = no
|
||||
server schannel require seal:schannel2\$ = no
|
||||
server schannel require seal:schannel3\$ = no
|
||||
server schannel require seal:schannel4\$ = no
|
||||
server schannel require seal:schannel5\$ = no
|
||||
server schannel require seal:schannel6\$ = no
|
||||
server schannel require seal:schannel7\$ = no
|
||||
server schannel require seal:schannel8\$ = no
|
||||
server schannel require seal:schannel9\$ = no
|
||||
server schannel require seal:schannel10\$ = no
|
||||
server schannel require seal:schannel11\$ = no
|
||||
server schannel require seal:torturetest\$ = no
|
||||
|
||||
auth event notification = true
|
||||
dsdb event notification = true
|
||||
@ -2744,6 +2771,7 @@ sub setup_ad_dc_smb1
|
||||
|
||||
# needed for 'samba.tests.auth_log' tests
|
||||
server require schannel:ADDCSMB1\$ = no
|
||||
server schannel require seal:ADDCSMB1\$ = no
|
||||
";
|
||||
return _setup_ad_dc($self, $path, $conf_opts, "addcsmb1", "addom2.samba.example.com");
|
||||
}
|
||||
|
@ -68,9 +68,11 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
||||
bool global_reject_md5_client = lpcfg_reject_md5_clients(lp_ctx);
|
||||
int schannel = lpcfg_server_schannel(lp_ctx);
|
||||
bool schannel_global_required = (schannel == true);
|
||||
bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
|
||||
static bool warned_global_nt4_once = false;
|
||||
static bool warned_global_md5_once = false;
|
||||
static bool warned_global_schannel_once = false;
|
||||
static bool warned_global_seal_once = false;
|
||||
|
||||
if (global_allow_nt4_crypto && !warned_global_nt4_once) {
|
||||
/*
|
||||
@ -102,6 +104,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context
|
||||
warned_global_schannel_once = true;
|
||||
}
|
||||
|
||||
if (!global_require_seal && !warned_global_seal_once) {
|
||||
/*
|
||||
* We want admins to notice their misconfiguration!
|
||||
*/
|
||||
D_ERR("CVE-2022-38023 (and others): "
|
||||
"Please configure 'server schannel require seal = yes' (the default), "
|
||||
"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
|
||||
warned_global_seal_once = true;
|
||||
}
|
||||
|
||||
return dcesrv_interface_bind_reject_connect(context, iface);
|
||||
}
|
||||
|
||||
@ -886,6 +898,10 @@ struct dcesrv_netr_check_schannel_state {
|
||||
bool schannel_required;
|
||||
bool schannel_explicitly_set;
|
||||
|
||||
bool seal_global_required;
|
||||
bool seal_required;
|
||||
bool seal_explicitly_set;
|
||||
|
||||
NTSTATUS result;
|
||||
};
|
||||
|
||||
@ -900,6 +916,9 @@ static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *d
|
||||
bool schannel_global_required = (schannel == true);
|
||||
bool schannel_required = schannel_global_required;
|
||||
const char *explicit_opt = NULL;
|
||||
bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
|
||||
bool require_seal = global_require_seal;
|
||||
const char *explicit_seal_opt = NULL;
|
||||
#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
|
||||
struct dcesrv_netr_check_schannel_state *s = NULL;
|
||||
NTSTATUS status;
|
||||
@ -937,6 +956,19 @@ new_state:
|
||||
s->auth_level = auth_level;
|
||||
s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
|
||||
|
||||
/*
|
||||
* We don't use lpcfg_parm_bool(), as we
|
||||
* need the explicit_opt pointer in order to
|
||||
* adjust the debug messages.
|
||||
*/
|
||||
explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
|
||||
NULL,
|
||||
"server schannel require seal",
|
||||
creds->account_name);
|
||||
if (explicit_seal_opt != NULL) {
|
||||
require_seal = lp_bool(explicit_seal_opt);
|
||||
}
|
||||
|
||||
/*
|
||||
* We don't use lpcfg_parm_bool(), as we
|
||||
* need the explicit_opt pointer in order to
|
||||
@ -954,6 +986,10 @@ new_state:
|
||||
s->schannel_required = schannel_required;
|
||||
s->schannel_explicitly_set = explicit_opt != NULL;
|
||||
|
||||
s->seal_global_required = global_require_seal;
|
||||
s->seal_required = require_seal;
|
||||
s->seal_explicitly_set = explicit_seal_opt != NULL;
|
||||
|
||||
status = dcesrv_iface_state_store_conn(dce_call,
|
||||
DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
|
||||
s);
|
||||
@ -975,6 +1011,10 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
|
||||
int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
||||
"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
|
||||
int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
|
||||
"CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
|
||||
int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
|
||||
"CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
|
||||
TALLOC_CTX *frame = talloc_stackframe();
|
||||
unsigned int dbg_lvl = DBGLVL_DEBUG;
|
||||
const char *opname = "<unknown>";
|
||||
@ -1004,7 +1044,7 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2020-1472(ZeroLogon): "
|
||||
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
||||
"%s request (opnum[%u]) %s schannel from "
|
||||
"client_account[%s] client_computer_name[%s] %s\n",
|
||||
opname, opnum, reason,
|
||||
@ -1015,7 +1055,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
return s->result;
|
||||
}
|
||||
|
||||
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
||||
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
|
||||
s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
|
||||
{
|
||||
s->result = NT_STATUS_OK;
|
||||
|
||||
if (s->schannel_explicitly_set && !s->schannel_required) {
|
||||
@ -1023,6 +1065,98 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
} else if (!s->schannel_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
}
|
||||
if (s->seal_explicitly_set && !s->seal_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
|
||||
} else if (!s->seal_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
||||
"%s request (opnum[%u]) %s schannel from "
|
||||
"client_account[%s] client_computer_name[%s] %s\n",
|
||||
opname, opnum, reason,
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name),
|
||||
nt_errstr(s->result)));
|
||||
|
||||
if (s->schannel_explicitly_set && !s->schannel_required) {
|
||||
DEBUG(CVE_2020_1472_warn_level, (
|
||||
"CVE-2020-1472(ZeroLogon): "
|
||||
"Option 'server require schannel:%s = no' not needed for '%s'!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
|
||||
if (s->seal_explicitly_set && !s->seal_required) {
|
||||
DEBUG(CVE_2022_38023_warn_level, (
|
||||
"CVE-2022-38023: "
|
||||
"Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
|
||||
TALLOC_FREE(frame);
|
||||
return s->result;
|
||||
}
|
||||
|
||||
if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
|
||||
if (s->seal_required) {
|
||||
s->result = NT_STATUS_ACCESS_DENIED;
|
||||
|
||||
if (s->seal_explicitly_set) {
|
||||
dbg_lvl = DBGLVL_NOTICE;
|
||||
} else {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
||||
}
|
||||
if (s->schannel_explicitly_set && !s->schannel_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2022-38023: "
|
||||
"%s request (opnum[%u]) %s schannel from "
|
||||
"from client_account[%s] client_computer_name[%s] %s\n",
|
||||
opname, opnum, reason,
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name),
|
||||
nt_errstr(s->result)));
|
||||
if (s->seal_explicitly_set) {
|
||||
D_NOTICE("CVE-2022-38023: Option "
|
||||
"'server schannel require seal:%s = yes' "
|
||||
"rejects access for client.\n",
|
||||
log_escape(frame, creds->account_name));
|
||||
} else {
|
||||
DEBUG(CVE_2020_1472_error_level, (
|
||||
"CVE-2022-38023: Check if option "
|
||||
"'server schannel require seal:%s = no' "
|
||||
"might be needed for a legacy client.\n",
|
||||
log_escape(frame, creds->account_name)));
|
||||
}
|
||||
if (s->schannel_explicitly_set && !s->schannel_required) {
|
||||
DEBUG(CVE_2020_1472_warn_level, (
|
||||
"CVE-2020-1472(ZeroLogon): Option "
|
||||
"'server require schannel:%s = no' "
|
||||
"not needed for '%s'!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
TALLOC_FREE(frame);
|
||||
return s->result;
|
||||
}
|
||||
|
||||
s->result = NT_STATUS_OK;
|
||||
|
||||
if (s->schannel_explicitly_set && !s->schannel_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
|
||||
} else if (!s->schannel_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
}
|
||||
if (s->seal_explicitly_set && !s->seal_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
} else if (!s->seal_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2020-1472(ZeroLogon): "
|
||||
@ -1039,11 +1173,81 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
if (s->seal_explicitly_set && !s->seal_required) {
|
||||
D_INFO("CVE-2022-38023: "
|
||||
"Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name));
|
||||
} else if (!s->seal_required) {
|
||||
/*
|
||||
* admins should set
|
||||
* server schannel require seal:COMPUTER$ = no
|
||||
* in order to avoid the level 0 messages.
|
||||
* Over time they can switch the global value
|
||||
* to be strict.
|
||||
*/
|
||||
DEBUG(CVE_2022_38023_error_level, (
|
||||
"CVE-2022-38023: "
|
||||
"Please use 'server schannel require seal:%s = no' "
|
||||
"for '%s' to avoid this warning!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
|
||||
TALLOC_FREE(frame);
|
||||
return s->result;
|
||||
}
|
||||
|
||||
if (s->seal_required) {
|
||||
s->result = NT_STATUS_ACCESS_DENIED;
|
||||
|
||||
if (s->seal_explicitly_set) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
||||
} else {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
||||
}
|
||||
if (!s->schannel_explicitly_set) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
||||
} else if (s->schannel_required) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
||||
"%s request (opnum[%u]) %s schannel from "
|
||||
"from client_account[%s] client_computer_name[%s] %s\n",
|
||||
opname, opnum, reason,
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name),
|
||||
nt_errstr(s->result)));
|
||||
if (s->seal_explicitly_set) {
|
||||
D_NOTICE("CVE-2022-38023: Option "
|
||||
"'server schannel require seal:%s = yes' "
|
||||
"rejects access for client.\n",
|
||||
log_escape(frame, creds->account_name));
|
||||
} else {
|
||||
DEBUG(CVE_2022_38023_error_level, (
|
||||
"CVE-2022-38023: Check if option "
|
||||
"'server schannel require seal:%s = no' "
|
||||
"might be needed for a legacy client.\n",
|
||||
log_escape(frame, creds->account_name)));
|
||||
}
|
||||
if (!s->schannel_explicitly_set) {
|
||||
DEBUG(CVE_2020_1472_error_level, (
|
||||
"CVE-2020-1472(ZeroLogon): Check if option "
|
||||
"'server require schannel:%s = no' "
|
||||
"might be needed for a legacy client.\n",
|
||||
log_escape(frame, creds->account_name)));
|
||||
} else if (s->schannel_required) {
|
||||
D_NOTICE("CVE-2022-38023: Option "
|
||||
"'server require schannel:%s = yes' "
|
||||
"also rejects access for client.\n",
|
||||
log_escape(frame, creds->account_name));
|
||||
}
|
||||
TALLOC_FREE(frame);
|
||||
return s->result;
|
||||
}
|
||||
|
||||
if (s->schannel_required) {
|
||||
s->result = NT_STATUS_ACCESS_DENIED;
|
||||
|
||||
@ -1052,6 +1256,9 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
} else {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
|
||||
}
|
||||
if (!s->seal_explicitly_set) {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
||||
}
|
||||
|
||||
DEBUG(dbg_lvl, (
|
||||
"CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
|
||||
@ -1073,12 +1280,25 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
"might be needed for a legacy client.\n",
|
||||
log_escape(frame, creds->account_name)));
|
||||
}
|
||||
if (!s->seal_explicitly_set) {
|
||||
DEBUG(CVE_2022_38023_error_level, (
|
||||
"CVE-2022-38023: Check if option "
|
||||
"'server schannel require seal:%s = no' "
|
||||
"might be needed for a legacy client.\n",
|
||||
log_escape(frame, creds->account_name)));
|
||||
}
|
||||
TALLOC_FREE(frame);
|
||||
return s->result;
|
||||
}
|
||||
|
||||
s->result = NT_STATUS_OK;
|
||||
|
||||
if (s->seal_explicitly_set) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
} else {
|
||||
dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
|
||||
}
|
||||
|
||||
if (s->schannel_explicitly_set) {
|
||||
dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
|
||||
} else {
|
||||
@ -1094,6 +1314,28 @@ static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_ca
|
||||
log_escape(frame, creds->computer_name),
|
||||
nt_errstr(s->result)));
|
||||
|
||||
if (s->seal_explicitly_set) {
|
||||
D_INFO("CVE-2022-38023: Option "
|
||||
"'server schannel require seal:%s = no' "
|
||||
"still needed for '%s'!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name));
|
||||
} else {
|
||||
/*
|
||||
* admins should set
|
||||
* server schannel require seal:COMPUTER$ = no
|
||||
* in order to avoid the level 0 messages.
|
||||
* Over time they can switch the global value
|
||||
* to be strict.
|
||||
*/
|
||||
DEBUG(CVE_2022_38023_error_level, (
|
||||
"CVE-2022-38023: Please use "
|
||||
"'server schannel require seal:%s = no' "
|
||||
"for '%s' to avoid this warning!\n",
|
||||
log_escape(frame, creds->account_name),
|
||||
log_escape(frame, creds->computer_name)));
|
||||
}
|
||||
|
||||
if (s->schannel_explicitly_set) {
|
||||
D_INFO("CVE-2020-1472(ZeroLogon): Option "
|
||||
"'server require schannel:%s = no' "
|
||||
|
Loading…
Reference in New Issue
Block a user