CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()

This warns the admin about insecure options BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 Signed-off-by: Stefan Metzmacher <metze@samba.org> Reviewed-by: Andrew Bartlett <abartlet@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org>
author: Stefan Metzmacher <metze@samba.org> 2022-11-30 14:47:33 +0100
committer: Stefan Metzmacher <metze@samba.org> 2022-12-13 13:07:29 +0000
commit: 7e7adf86e59e8a673fbe87de46cef0d62221e800 (patch)
tree: ebbfdc9029d0d2d2af0b10cd23ef2c16f91a98a7 /libcli
parent: 992f39a2c8a58301ceeb965f401e29cd64c5a209 (diff)
download: samba-7e7adf86e59e8a673fbe87de46cef0d62221e800.tar.gz
2 files changed, 68 insertions, 0 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 470733d8a05..2e7c06332f0 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -205,6 +205,8 @@ static struct db_context *netlogon_creds_cli_global_db;
 NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
 					  struct db_context **db)
 {
+	netlogon_creds_cli_warn_options(lp_ctx);
+
 	if (netlogon_creds_cli_global_db != NULL) {
 		return NT_STATUS_INVALID_PARAMETER_MIX;
 	}
@@ -219,6 +221,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
 	struct db_context *global_db;
 	int hash_size, tdb_flags;
 
+	netlogon_creds_cli_warn_options(lp_ctx);
+
 	if (netlogon_creds_cli_global_db != NULL) {
 		return NT_STATUS_OK;
 	}
@@ -259,6 +263,68 @@ void netlogon_creds_cli_close_global_db(void)
 	TALLOC_FREE(netlogon_creds_cli_global_db);
 }
 
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
+{
+	bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
+	bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
+	int global_client_schannel = lpcfg_client_schannel(lp_ctx);
+	bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+	static bool warned_global_reject_md5_servers = false;
+	static bool warned_global_require_strong_key = false;
+	static bool warned_global_client_schannel = false;
+	static bool warned_global_seal_secure_channel = false;
+	static int warned_global_pid = 0;
+	int current_pid = tevent_cached_getpid();
+
+	if (warned_global_pid != current_pid) {
+		warned_global_reject_md5_servers = false;
+		warned_global_require_strong_key = false;
+		warned_global_client_schannel = false;
+		warned_global_seal_secure_channel = false;
+		warned_global_pid = current_pid;
+	}
+
+	if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-38023 (and others): "
+			"Please configure 'reject md5 servers = yes' (the default), "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_reject_md5_servers = true;
+	}
+
+	if (!global_require_strong_key && !warned_global_require_strong_key) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-38023 (and others): "
+			"Please configure 'require strong key = yes' (the default), "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_require_strong_key = true;
+	}
+
+	if (global_client_schannel != true && !warned_global_client_schannel) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-38023 (and others): "
+			"Please configure 'client schannel = yes' (the default), "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_client_schannel = true;
+	}
+
+	if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-38023 (and others): "
+			"Please configure 'winbind sealed pipes = yes' (the default), "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+		warned_global_seal_secure_channel = true;
+	}
+}
+
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 				struct messaging_context *msg_ctx,
 				const char *client_account,
diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index d10197c2d2a..600242e1aea 100644
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
 void netlogon_creds_cli_close_global_db(void);
 
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
+
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
 				struct messaging_context *msg_ctx,
 				const char *client_account,
author	Stefan Metzmacher <metze@samba.org>	2022-11-30 14:47:33 +0100
committer	Stefan Metzmacher <metze@samba.org>	2022-12-13 13:07:29 +0000
commit	7e7adf86e59e8a673fbe87de46cef0d62221e800 (patch)
tree	ebbfdc9029d0d2d2af0b10cd23ef2c16f91a98a7 /libcli
parent	992f39a2c8a58301ceeb965f401e29cd64c5a209 (diff)
download	samba-7e7adf86e59e8a673fbe87de46cef0d62221e800.tar.gz