From 5b22f6c746dbf8fa785c778cf6a9404da3fe75c0 Mon Sep 17 00:00:00 2001 From: xinghe Date: Mon, 3 Apr 2023 09:08:23 +0000 Subject: [PATCH] add patch for fix CVE-2022-38023 --- backport-0030-CVE-2022-38023.patch | 133 +++++++++++ backport-0031-CVE-2022-38023.patch | 80 +++++++ backport-0032-CVE-2022-38023.patch | 229 +++++++++++++++++++ backport-0033-CVE-2022-38023.patch | 186 +++++++++++++++ backport-0034-CVE-2022-38023.patch | 81 +++++++ backport-0035-CVE-2022-38023.patch | 92 ++++++++ backport-0036-CVE-2022-38023.patch | 62 +++++ backport-0037-CVE-2022-38023.patch | 47 ++++ backport-0038-CVE-2022-38023.patch | 354 +++++++++++++++++++++++++++++ samba.spec | 17 +- 10 files changed, 1280 insertions(+), 1 deletion(-) create mode 100644 backport-0030-CVE-2022-38023.patch create mode 100644 backport-0031-CVE-2022-38023.patch create mode 100644 backport-0032-CVE-2022-38023.patch create mode 100644 backport-0033-CVE-2022-38023.patch create mode 100644 backport-0034-CVE-2022-38023.patch create mode 100644 backport-0035-CVE-2022-38023.patch create mode 100644 backport-0036-CVE-2022-38023.patch create mode 100644 backport-0037-CVE-2022-38023.patch create mode 100644 backport-0038-CVE-2022-38023.patch diff --git a/backport-0030-CVE-2022-38023.patch b/backport-0030-CVE-2022-38023.patch new file mode 100644 index 0000000..64a71a8 --- /dev/null +++ b/backport-0030-CVE-2022-38023.patch @@ -0,0 +1,133 @@ +From 19aa47e3db550fd3099f06c9b97dc5800dd5afb3 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:33:12 +0100 +Subject: [PATCH 31/40] CVE-2022-38023 s3:rpc_server/netlogon: add + talloc_stackframe() to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++--------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 3221ebaa2e2..8e907e60f7e 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1070,6 +1070,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) + { ++ TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1091,19 +1092,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + + auth_type = p->auth.auth_type; + +- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); ++ TALLOC_FREE(frame); + return NT_STATUS_INTERNAL_ERROR; + } + + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +- talloc_unlink(mem_ctx, lp_ctx); +- + if (!NT_STATUS_IS_OK(status)) { + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return status; + } + +@@ -1124,6 +1125,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1131,13 +1133,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return NT_STATUS_ACCESS_DENIED; + } + +@@ -1156,13 +1160,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1171,24 +1176,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +-- +2.39.0 diff --git a/backport-0031-CVE-2022-38023.patch b/backport-0031-CVE-2022-38023.patch new file mode 100644 index 0000000..5edf22f --- /dev/null +++ b/backport-0031-CVE-2022-38023.patch @@ -0,0 +1,80 @@ +From 4118bd2e1b1a31717f4c5355be5d83c121fa85dc Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 21 Dec 2022 18:17:57 +0100 +Subject: [PATCH 32/40] CVE-2022-38023 s3:rpc_server/netlogon: re-order + checking in netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++----------- + 1 file changed, 19 insertions(+), 21 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 8e907e60f7e..ba73fe3fa58 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1122,13 +1122,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + schannel_required = lp_bool(explicit_opt); + } + +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (!schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) WITH schannel from " ++ "client_account[%s] client_computer_name[%s]\n", ++ opname, opnum, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } ++ if (explicit_opt != NULL && !schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed!?\n", ++ log_escape(frame, creds->account_name)); + } + ++ *creds_out = creds; ++ TALLOC_FREE(frame); ++ return NT_STATUS_OK; ++ } ++ ++ if (schannel_required) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", +@@ -1155,22 +1169,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); +- +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; +- } +- + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " +-- +2.39.0 diff --git a/backport-0032-CVE-2022-38023.patch b/backport-0032-CVE-2022-38023.patch new file mode 100644 index 0000000..9249f9c --- /dev/null +++ b/backport-0032-CVE-2022-38023.patch @@ -0,0 +1,229 @@ +From 4e9f73ed47739f66fbf330d1f6ddb738b749395a Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:35:57 +0100 +Subject: [PATCH 33/40] CVE-2022-38023 s3:rpc_server/netlogon: improve + CVE-2020-1472(ZeroLogon) debug messages + +In order to avoid generating useless debug messages during make test, +we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' +and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. + +Review with: git show -w + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------ + 1 file changed, 109 insertions(+), 40 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index ba73fe3fa58..c9401499a9b 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1077,9 +1077,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + const char *explicit_opt = NULL; + struct loadparm_context *lp_ctx; + struct netlogon_creds_CredentialState *creds = NULL; ++ int CVE_2020_1472_warn_level = DBGLVL_ERR; ++ int CVE_2020_1472_error_level = DBGLVL_ERR; ++ unsigned int dbg_lvl = DBGLVL_DEBUG; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = p->opnum; + const char *opname = ""; ++ const char *reason = ""; + static bool warned_global_once = false; + + if (creds_out != NULL) { +@@ -1091,6 +1096,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; + + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { +@@ -1099,6 +1105,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + return NT_STATUS_INTERNAL_ERROR; + } + ++ CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ smb_panic("Schannel without SIGN/SEAL"); ++ } ++ } else { ++ reason = "WITHOUT"; ++ } ++ + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +@@ -1123,40 +1146,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (!schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); ++ status = NT_STATUS_OK; ++ ++ if (explicit_opt != NULL && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ + if (explicit_opt != NULL && !schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return status; + } + + if (schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name)); ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (explicit_opt != NULL) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (explicit_opt != NULL) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); +- return NT_STATUS_ACCESS_DENIED; ++ return status; + } + + if (!schannel_global_required && !warned_global_once) { +@@ -1169,26 +1221,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + ++ status = NT_STATUS_OK; ++ + if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ ++ if (explicit_opt != NULL) { ++ D_INFO("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server require schannel:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Please use 'server require schannel:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; +-- +2.39.0 diff --git a/backport-0033-CVE-2022-38023.patch b/backport-0033-CVE-2022-38023.patch new file mode 100644 index 0000000..ef42448 --- /dev/null +++ b/backport-0033-CVE-2022-38023.patch @@ -0,0 +1,186 @@ +From 24d91b96790628ba864c67cca0b97b95ad7f9555 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 11:42:51 +0100 +Subject: [PATCH 35/40] CVE-2022-38023 s3:rpc_server/netlogon: split out + netr_check_schannel() function + +This will allow us to reuse the function in other places. +As it will also get some additional checks soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++-------- + 1 file changed, 62 insertions(+), 45 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index c9401499a9b..b254ca72a48 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1063,53 +1063,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, + /************************************************************************* + *************************************************************************/ + +-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) ++static NTSTATUS netr_check_schannel(struct pipes_struct *p, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +- struct loadparm_context *lp_ctx; +- struct netlogon_creds_CredentialState *creds = NULL; +- int CVE_2020_1472_warn_level = DBGLVL_ERR; +- int CVE_2020_1472_error_level = DBGLVL_ERR; ++ int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- uint16_t opnum = p->opnum; + const char *opname = ""; + const char *reason = ""; + static bool warned_global_once = false; + +- if (creds_out != NULL) { +- *creds_out = NULL; +- } +- + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; + } + +- auth_type = p->auth.auth_type; +- auth_level = p->auth.auth_level; +- +- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(0, ("loadparm_init_s3 failed\n")); +- TALLOC_FREE(frame); +- return NT_STATUS_INTERNAL_ERROR; +- } +- +- CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); +- CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +@@ -1122,15 +1099,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + reason = "WITHOUT"; + } + +- status = schannel_check_creds_state(mem_ctx, lp_ctx, +- computer_name, received_authenticator, +- return_authenticator, &creds); +- if (!NT_STATUS_IS_OK(status)) { +- ZERO_STRUCTP(return_authenticator); +- TALLOC_FREE(frame); +- return status; +- } +- + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1171,7 +1139,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return status; + } +@@ -1205,8 +1172,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); + return status; + } +@@ -1260,11 +1225,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + ++static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ struct loadparm_context *lp_ctx = NULL; ++ NTSTATUS status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ uint16_t opnum = p->opnum; ++ ++ if (creds_out != NULL) { ++ *creds_out = NULL; ++ } ++ ++ auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; ++ ++ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ if (lp_ctx == NULL) { ++ DEBUG(0, ("loadparm_init_s3 failed\n")); ++ return NT_STATUS_INTERNAL_ERROR; ++ } ++ ++ status = schannel_check_creds_state(mem_ctx, ++ lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ TALLOC_FREE(lp_ctx); ++ if (!NT_STATUS_IS_OK(status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} + + /************************************************************************* + *************************************************************************/ +-- +2.39.0 diff --git a/backport-0034-CVE-2022-38023.patch b/backport-0034-CVE-2022-38023.patch new file mode 100644 index 0000000..7154ff1 --- /dev/null +++ b/backport-0034-CVE-2022-38023.patch @@ -0,0 +1,81 @@ +From ec1962e20deb4cbe95e861eb57107f08cb3a6de9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Thu, 22 Dec 2022 09:29:04 +0100 +Subject: [PATCH 36/40] CVE-2022-38023 s3:rpc_server/netlogon: make sure all + dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel() + +We'll soon add some additional contraints in dcesrv_netr_check_schannel(), +which are also required for dcesrv_netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++----- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index b254ca72a48..a66b929b479 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1771,6 +1771,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + struct auth_serversupplied_info *server_info = NULL; + struct auth_context *auth_context = NULL; + const char *fn; ++ enum dcerpc_AuthType auth_type = p->auth.auth_type; ++ enum dcerpc_AuthLevel auth_level = p->auth.auth_level; + + #ifdef DEBUG_PASSWORD + logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, +@@ -1784,11 +1786,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + switch (p->opnum) { + case NDR_NETR_LOGONSAMLOGON: + fn = "_netr_LogonSamLogon"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONWITHFLAGS: + fn = "_netr_LogonSamLogonWithFlags"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONEX: ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ p->opnum); ++ if (NT_STATUS_IS_ERR(status)) { ++ return status; ++ } ++ + fn = "_netr_LogonSamLogonEx"; + break; + default: +@@ -2130,13 +2153,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + return status; + } + +- /* Only allow this if the pipe is protected. */ +- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", +- get_remote_machine_name() )); +- return NT_STATUS_INVALID_PARAMETER; +- } +- + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); +-- +2.39.0 diff --git a/backport-0035-CVE-2022-38023.patch b/backport-0035-CVE-2022-38023.patch new file mode 100644 index 0000000..eb6473d --- /dev/null +++ b/backport-0035-CVE-2022-38023.patch @@ -0,0 +1,92 @@ +From e46fdd96cf0cea2415e7dfd49d7f204c53bac762 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:23:41 +0100 +Subject: [PATCH 37/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index a66b929b479..b7c8e2c928e 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1071,9 +1071,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; ++ const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +- const char *explicit_opt = NULL; ++ bool schannel_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, +@@ -1112,11 +1113,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (explicit_opt != NULL) { + schannel_required = lp_bool(explicit_opt); + } ++ schannel_explicitly_set = explicit_opt != NULL; + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + status = NT_STATUS_OK; + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +@@ -1131,7 +1133,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed for '%s'!\n", +@@ -1146,7 +1148,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (schannel_required) { + status = NT_STATUS_ACCESS_DENIED; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1160,7 +1162,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_NOTICE("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = yes' " + "rejects access for client.\n", +@@ -1188,7 +1190,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + + status = NT_STATUS_OK; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1203,7 +1205,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " + "still needed for '%s'!\n", +-- +2.39.0 diff --git a/backport-0036-CVE-2022-38023.patch b/backport-0036-CVE-2022-38023.patch new file mode 100644 index 0000000..c5dbc48 --- /dev/null +++ b/backport-0036-CVE-2022-38023.patch @@ -0,0 +1,62 @@ +From b0ecb8aebf814b339afe1d2843ef53ece5cb4c9d Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:39:20 +0100 +Subject: [PATCH 38/40] CVE-2022-38023 s3:rpc_server/netlogon: Return error on + invalid auth level + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index b7c8e2c928e..5f89e945f9c 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1070,7 +1070,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); +- NTSTATUS status; ++ NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED; + const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1094,12 +1094,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + reason = "WITH SIGNED"; + } else { +- smb_panic("Schannel without SIGN/SEAL"); ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ status = NT_STATUS_INTERNAL_ERROR; + } + } else { + reason = "WITHOUT"; + } + ++ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(status)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +-- +2.39.0 diff --git a/backport-0037-CVE-2022-38023.patch b/backport-0037-CVE-2022-38023.patch new file mode 100644 index 0000000..94ea30b --- /dev/null +++ b/backport-0037-CVE-2022-38023.patch @@ -0,0 +1,47 @@ +From 037606c112ae4d1025708d2d12898e73359f0c54 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:42:37 +0100 +Subject: [PATCH 39/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 5f89e945f9c..f238d7ce42b 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1082,7 +1082,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; +- static bool warned_global_once = false; ++ static bool warned_global_schannel_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1197,14 +1197,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + +- if (!schannel_global_required && !warned_global_once) { ++ if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes', " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; ++ warned_global_schannel_once = true; + } + + status = NT_STATUS_OK; +-- +2.39.0 diff --git a/backport-0038-CVE-2022-38023.patch b/backport-0038-CVE-2022-38023.patch new file mode 100644 index 0000000..ba1e235 --- /dev/null +++ b/backport-0038-CVE-2022-38023.patch @@ -0,0 +1,354 @@ +From fba17d9f8e6437fc675608c0507d6a00f830aaea Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero +Date: Wed, 4 Jan 2023 17:50:04 +0100 +Subject: [PATCH 40/40] CVE-2022-38023 s3:rpc_server/netlogon: implement + "server schannel require seal[:COMPUTERACCOUNT]" + +By default we'll now require schannel connections with +privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero + +Conflict: remove selftest/target/Samba3.pm +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + selftest/target/Samba3.pm | 14 ++ + source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++- + 2 files changed, 249 insertions(+), 2 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index f238d7ce42b..df305e94479 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1075,14 +1075,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + bool schannel_explicitly_set = false; ++ bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false; ++ bool seal_required = seal_global_required; ++ bool seal_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = ""; + const char *reason = ""; + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1119,6 +1127,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + ++ /* ++ * We don't use lp_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, ++ "server schannel require seal", ++ creds->account_name, ++ NULL); ++ if (explicit_opt != NULL) { ++ seal_required = lp_bool(explicit_opt); ++ } ++ seal_explicitly_set = explicit_opt != NULL; ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1134,7 +1156,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } + schannel_explicitly_set = explicit_opt != NULL; + ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ status = NT_STATUS_OK; ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (seal_explicitly_set && !seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (seal_required) { ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + status = NT_STATUS_OK; + + if (schannel_explicitly_set && !schannel_required) { +@@ -1142,6 +1253,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1151,7 +1267,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- + if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1159,7 +1274,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name))); + } ++ if (seal_explicitly_set && !seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!seal_required) { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: " ++ "Please use 'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return status; ++ } ++ ++ if (seal_required) { ++ status = NT_STATUS_ACCESS_DENIED; + ++ if (seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (!schannel_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } else if (schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (!schannel_explicitly_set) { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } else if (schannel_required) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server require schannel:%s = yes' " ++ "also rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } + TALLOC_FREE(frame); + return status; + } +@@ -1172,6 +1357,9 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); + } ++ if (!seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " +@@ -1193,6 +1381,13 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } ++ if (!seal_explicitly_set) { ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(frame); + return status; + } +@@ -1207,8 +1402,24 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + warned_global_schannel_once = true; + } + ++ if (!seal_global_required && !warned_global_seal_once) { ++ /* ++ * We want admins to notice their misconfiguration! ++ */ ++ DBG_ERR("CVE-2022-38023 (and others): " ++ "Please configure 'server schannel require seal = yes' (the default), " ++ "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); ++ warned_global_seal_once = true; ++ } ++ + status = NT_STATUS_OK; + ++ if (seal_explicitly_set) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ + if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +@@ -1224,6 +1435,28 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + ++ if (seal_explicitly_set) { ++ D_INFO("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = no' " ++ "still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else { ++ /* ++ * admins should set ++ * server schannel require seal:COMPUTER$ = no ++ * in order to avoid the level 0 messages. ++ * Over time they can switch the global value ++ * to be strict. ++ */ ++ DEBUG(CVE_2022_38023_error_level, ( ++ "CVE-2022-38023: Please use " ++ "'server schannel require seal:%s = no' " ++ "for '%s' to avoid this warning!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ + if (schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " +@@ -1247,7 +1480,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } + + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return status; + } + + static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +-- +2.39.0 diff --git a/samba.spec b/samba.spec index 540906c..1e57e74 100644 --- a/samba.spec +++ b/samba.spec @@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 25 +Release: 26 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -329,6 +329,15 @@ Patch6399: backport-0026-CVE-2022-38023.patch Patch6400: backport-0027-CVE-2022-38023.patch Patch6401: backport-0028-CVE-2022-38023.patch Patch6402: backport-0029-CVE-2022-38023.patch +Patch6403: backport-0030-CVE-2022-38023.patch +Patch6404: backport-0031-CVE-2022-38023.patch +Patch6405: backport-0032-CVE-2022-38023.patch +Patch6406: backport-0033-CVE-2022-38023.patch +Patch6407: backport-0034-CVE-2022-38023.patch +Patch6408: backport-0035-CVE-2022-38023.patch +Patch6409: backport-0036-CVE-2022-38023.patch +Patch6410: backport-0037-CVE-2022-38023.patch +Patch6411: backport-0038-CVE-2022-38023.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3387,6 +3396,12 @@ fi %{_mandir}/man* %changelog +* Mon Apr 03 2023 xinghe - 4.11.12-26 +- Type:cves +- CVE:CVE-2022-38023 +- SUG:NA +- DESC:add patch for fix CVE-2022-38023 + * Wed Jan 18 2023 xinghe - 4.11.12-25 - Type:cves - CVE:CVE-2022-38023 -- Gitee