sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-02-14 01:57:53 +03:00
Code

CVE-2022-38023 testparm: warn about unsecure schannel related options

Browse Source 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 4d540473c3d43d048a30dd63efaeae9ff87b2aeb)
This commit is contained in:
Stefan Metzmacher 2022-12-06 13:36:17 +01:00
parent 0d4f8c7044
commit f4d487bda5
1 changed files with 61 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

61
source3/utils/testparm.c
View File

@ -608,6 +608,37 @@ static int do_global_checks(void)
"'server require schannel:COMPUTERACCOUNT$ = no' "
"options\n\n");
}
if (lp_allow_nt4_crypto()) {
fprintf(stderr,
"WARNING: You have not configured "
"'allow nt4 crypto = no' (the default). "
"Your server is vulernable to "
"CVE-2022-38023 and others!\n"
"If required use individual "
"'allow nt4 crypto:COMPUTERACCOUNT$ = yes' "
"options\n\n");
}
if (!lp_reject_md5_clients()) {
fprintf(stderr,
"WARNING: You have not configured "
"'reject md5 clients = yes' (the default). "
"Your server is vulernable to "
"CVE-2022-38023!\n"
"If required use individual "
"'server reject md5 schannel:COMPUTERACCOUNT$ = yes' "
"options\n\n");
}
if (!lp_server_schannel_require_seal()) {
fprintf(stderr,
"WARNING: You have not configured "
"'server schannel require seal = yes' (the default). "
"Your server is vulernable to "
"CVE-2022-38023!\n"
"If required use individual "
"'server schannel require seal:COMPUTERACCOUNT$ = no' "
"options\n\n");
}
if (lp_client_schannel() != true) { /* can be 'auto' */
fprintf(stderr,
"WARNING: You have not configured "
@ -618,6 +649,36 @@ static int do_global_checks(void)
"'client schannel:NETBIOSDOMAIN = no' "
"options\n\n");
}
if (!lp_reject_md5_servers()) {
fprintf(stderr,
"WARNING: You have not configured "
"'reject md5 servers = yes' (the default). "
"Your server is vulernable to "
"CVE-2022-38023\n"
"If required use individual "
"'reject md5 servers:NETBIOSDOMAIN = no' "
"options\n\n");
}
if (!lp_require_strong_key()) {
fprintf(stderr,
"WARNING: You have not configured "
"'require strong key = yes' (the default). "
"Your server is vulernable to "
"CVE-2022-38023\n"
"If required use individual "
"'require strong key:NETBIOSDOMAIN = no' "
"options\n\n");
}
if (!lp_winbind_sealed_pipes()) {
fprintf(stderr,
"WARNING: You have not configured "
"'winbind sealed pipes = yes' (the default). "
"Your server is vulernable to "
"CVE-2022-38023\n"
"If required use individual "
"'winbind sealed pipes:NETBIOSDOMAIN = no' "
"options\n\n");
}
return ret;
}