diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-12-05 21:45:08 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-14 00:48:48 +0100 |
commit | e2ac180984e36f54999e970eafb0f05ed90b0fd4 (patch) | |
tree | d70725116ad4e4f4764e4ec2286a20b2d548e361 | |
parent | 30202568a181966ea7c56a33dad5e4942e524b75 (diff) | |
download | samba-e2ac180984e36f54999e970eafb0f05ed90b0fd4.tar.gz |
CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)
[abartlet@samba.org Added missing loadparm to netlogon_creds_cli]
-rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index df5f8a0fbfa..617e0ab6530 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -39,6 +39,7 @@ #include "libds/common/roles.h" #include "lib/crypto/md4.h" #include "auth/credentials/credentials.h" +#include "lib/param/loadparm.h" struct netlogon_creds_cli_locked_state; @@ -268,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx); int global_client_schannel = lpcfg_client_schannel(lp_ctx); bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx); + int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx); static bool warned_global_reject_md5_servers = false; static bool warned_global_require_strong_key = false; static bool warned_global_client_schannel = false; static bool warned_global_seal_secure_channel = false; + static bool warned_global_kerberos_encryption_types = false; static int warned_global_pid = 0; int current_pid = getpid(); @@ -280,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) warned_global_require_strong_key = false; warned_global_client_schannel = false; warned_global_seal_secure_channel = false; + warned_global_kerberos_encryption_types = false; warned_global_pid = current_pid; } @@ -322,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx) "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); warned_global_seal_secure_channel = true; } + + if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY && + !warned_global_kerberos_encryption_types) + { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2022-37966: " + "Please void 'kerberos encryption types = legacy', " + "See https://bugzilla.samba.org/show_bug.cgi?id=15237\n"); + warned_global_kerberos_encryption_types = true; + } } NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, |