diff options
author | Samuel Cabrero <scabrero@suse.de> | 2022-12-22 11:05:33 +0100 |
---|---|---|
committer | Jule Anger <janger@samba.org> | 2023-01-23 09:06:16 +0000 |
commit | fea95d10a23c984872fd23e7ca49ff580ab3b125 (patch) | |
tree | 627b194606b03feb23ffd617cdf5fa047f19ba3b | |
parent | 431c730c6e773532dd2f9cace589a9028717d185 (diff) | |
download | samba-fea95d10a23c984872fd23e7ca49ff580ab3b125.tar.gz |
CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
By default we'll now require schannel connections with privacy/sealing/encryption.
But we allow exceptions for specific computer/trust accounts.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Samuel Cabrero <scabrero@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
(cherry picked from commit a0b97e262318dc56fe663da89b0ee3172b2e7848)
-rw-r--r-- | source3/rpc_server/netlogon/srv_netlog_nt.c | 12 |
1 files changed, 12 insertions, 0 deletions
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index 51488cf62b2..edf1c1c215c 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -2855,7 +2855,9 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context struct loadparm_context *lp_ctx = context->conn->dce_ctx->lp_ctx; int schannel = lpcfg_server_schannel(lp_ctx); bool schannel_global_required = (schannel == true); + bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx); static bool warned_global_schannel_once = false; + static bool warned_global_seal_once = false; if (!schannel_global_required && !warned_global_schannel_once) { /* @@ -2867,6 +2869,16 @@ static NTSTATUS dcesrv_interface_netlogon_bind(struct dcesrv_connection_context warned_global_schannel_once = true; } + if (!global_require_seal && !warned_global_seal_once) { + /* + * We want admins to notice their misconfiguration! + */ + D_ERR("CVE-2022-38023 (and others): " + "Please configure 'server schannel require seal = yes' (the default), " + "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n"); + warned_global_seal_once = true; + } + return NT_STATUS_OK; } |