diff options
author | Joseph Sutton <josephsutton@catalyst.net.nz> | 2022-11-21 13:47:06 +1300 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | 84c28b05a0a590a0edea616cd0f267e2be44d0a0 (patch) | |
tree | d35f5361df0dac85a2834ee294e46153f9883767 | |
parent | 0ad597673246af62c88453236d1eab731368ad08 (diff) | |
download | samba-84c28b05a0a590a0edea616cd0f267e2be44d0a0.tar.gz |
CVE-2022-37966 samba-tool: Declare explicitly RC4 support of trust objects
As we will assume, as part of the fixes for CVE-2022-37966, that trust
objects with no msDS-SupportedEncryptionTypes attribute support AES
keys, RC4 support must now be explicitly indicated.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 086646865eef247a54897f5542495a2105563a5e)
-rw-r--r-- | python/samba/netcmd/domain.py | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/python/samba/netcmd/domain.py b/python/samba/netcmd/domain.py index aaadaf93009..2c9c9645655 100644 --- a/python/samba/netcmd/domain.py +++ b/python/samba/netcmd/domain.py @@ -2301,11 +2301,14 @@ class cmd_domain_trust_create(DomainTrustCommand): if treat_as_external: raise CommandError("--treat-as-external requires --type=forest") - enc_types = None + enc_types = lsa.TrustDomainInfoSupportedEncTypes() if use_aes_keys: - enc_types = lsa.TrustDomainInfoSupportedEncTypes() enc_types.enc_types = security.KERB_ENCTYPE_AES128_CTS_HMAC_SHA1_96 enc_types.enc_types |= security.KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96 + else: + # CVE-2022-37966: Trust objects are no longer assumed to support + # RC4, so we must indicate support explicitly. + enc_types.enc_types = security.KERB_ENCTYPE_RC4_HMAC_MD5 local_policy_access = lsa.LSA_POLICY_VIEW_LOCAL_INFORMATION local_policy_access |= lsa.LSA_POLICY_TRUST_ADMIN |