Projects
openEuler:20.03:LTS:SP3
samba
Sign Up
Log In
Username
Password
We truncated the diff of some files because they were too big. If you want to see the full diff for every file,
click here
.
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
Expand all
Collapse all
Changes of Revision 30
View file
_service:tar_scm_kernel_repo:samba.spec
Changed
@@ -49,7 +49,7 @@ Name: samba Version: 4.11.12 -Release: 24 +Release: 25 Summary: A suite for Linux to interoperate with Windows License: GPLv3+ and LGPLv3+ @@ -329,6 +329,15 @@ Patch6400: backport-0027-CVE-2022-38023.patch Patch6401: backport-0028-CVE-2022-38023.patch Patch6402: backport-0029-CVE-2022-38023.patch +Patch6403: backport-0030-CVE-2022-38023.patch +Patch6404: backport-0031-CVE-2022-38023.patch +Patch6405: backport-0032-CVE-2022-38023.patch +Patch6406: backport-0033-CVE-2022-38023.patch +Patch6407: backport-0034-CVE-2022-38023.patch +Patch6408: backport-0035-CVE-2022-38023.patch +Patch6409: backport-0036-CVE-2022-38023.patch +Patch6410: backport-0037-CVE-2022-38023.patch +Patch6411: backport-0038-CVE-2022-38023.patch BuildRequires: avahi-devel cups-devel dbus-devel docbook-style-xsl e2fsprogs-devel gawk gnupg2 gnutls-devel >= 3.4.7 gpgme-devel @@ -3387,6 +3396,12 @@ %{_mandir}/man* %changelog +* Mon Apr 03 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-25 +- Type:cves +- CVE:CVE-2022-38023 +- SUG:NA +- DESC:add patch for fix CVE-2022-38023 + * Wed Jan 18 2023 xinghe <xinghe2@h-partners.com> - 4.11.12-24 - Type:cves - CVE:CVE-2022-38023
View file
_service:tar_scm_kernel_repo:backport-0030-CVE-2022-38023.patch
Added
@@ -0,0 +1,133 @@ +From 19aa47e3db550fd3099f06c9b97dc5800dd5afb3 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Thu, 22 Dec 2022 11:33:12 +0100 +Subject: [PATCH 31/40] CVE-2022-38023 s3:rpc_server/netlogon: add + talloc_stackframe() to dcesrv_netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 38 ++++++++++++--------- + 1 file changed, 22 insertions(+), 16 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 3221ebaa2e2..8e907e60f7e 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1070,6 +1070,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + struct netr_Authenticator *return_authenticator, + struct netlogon_creds_CredentialState **creds_out) + { ++ TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1091,19 +1092,19 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + + auth_type = p->auth.auth_type; + +- lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); ++ TALLOC_FREE(frame); + return NT_STATUS_INTERNAL_ERROR; + } + + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +- talloc_unlink(mem_ctx, lp_ctx); +- + if (!NT_STATUS_IS_OK(status)) { + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return status; + } + +@@ -1124,6 +1125,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1131,13 +1133,15 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' is needed! \n", +- log_escape(mem_ctx, creds->account_name)); ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); ++ TALLOC_FREE(frame); + return NT_STATUS_ACCESS_DENIED; + } + +@@ -1156,13 +1160,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +@@ -1171,24 +1176,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, +- log_escape(mem_ctx, creds->account_name), +- log_escape(mem_ctx, creds->computer_name)); ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", +- log_escape(mem_ctx, creds->account_name)); ++ log_escape(frame, creds->account_name)); + } + + *creds_out = creds; ++ TALLOC_FREE(frame); + return NT_STATUS_OK; + } + +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0031-CVE-2022-38023.patch
Added
@@ -0,0 +1,80 @@ +From 4118bd2e1b1a31717f4c5355be5d83c121fa85dc Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Wed, 21 Dec 2022 18:17:57 +0100 +Subject: [PATCH 32/40] CVE-2022-38023 s3:rpc_server/netlogon: re-order + checking in netr_creds_server_step_check() + +This will simplify the following changes. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 40 ++++++++++----------- + 1 file changed, 19 insertions(+), 21 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 8e907e60f7e..ba73fe3fa58 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1122,13 +1122,27 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + schannel_required = lp_bool(explicit_opt); + } + +- if (schannel_required) { +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (!schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) WITH schannel from " ++ "client_account[%s] client_computer_name[%s]\n", ++ opname, opnum, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } ++ if (explicit_opt != NULL && !schannel_required) { ++ DBG_ERR("CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed!?\n", ++ log_escape(frame, creds->account_name)); + } + ++ *creds_out = creds; ++ TALLOC_FREE(frame); ++ return NT_STATUS_OK; ++ } ++ ++ if (schannel_required) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", +@@ -1155,22 +1169,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + +- if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); +- +- *creds_out = creds; +- TALLOC_FREE(frame); +- return NT_STATUS_OK; +- } +- + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0032-CVE-2022-38023.patch
Added
@@ -0,0 +1,229 @@ +From 4e9f73ed47739f66fbf330d1f6ddb738b749395a Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Thu, 22 Dec 2022 11:35:57 +0100 +Subject: [PATCH 33/40] CVE-2022-38023 s3:rpc_server/netlogon: improve + CVE-2020-1472(ZeroLogon) debug messages + +In order to avoid generating useless debug messages during make test, +we will use 'CVE_2020_1472:warn_about_unused_debug_level = 3' +and 'CVE_2020_1472:error_debug_level = 2' in order to avoid schannel warnings. + +Review with: git show -w + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 149 ++++++++++++++------ + 1 file changed, 109 insertions(+), 40 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index ba73fe3fa58..c9401499a9b 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1077,9 +1077,14 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + const char *explicit_opt = NULL; + struct loadparm_context *lp_ctx; + struct netlogon_creds_CredentialState *creds = NULL; ++ int CVE_2020_1472_warn_level = DBGLVL_ERR; ++ int CVE_2020_1472_error_level = DBGLVL_ERR; ++ unsigned int dbg_lvl = DBGLVL_DEBUG; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; + uint16_t opnum = p->opnum; + const char *opname = "<unknown>"; ++ const char *reason = "<unknown>"; + static bool warned_global_once = false; + + if (creds_out != NULL) { +@@ -1091,6 +1096,7 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; + + lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); + if (lp_ctx == NULL) { +@@ -1099,6 +1105,23 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + return NT_STATUS_INTERNAL_ERROR; + } + ++ CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { ++ reason = "WITH SEALED"; ++ } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { ++ reason = "WITH SIGNED"; ++ } else { ++ smb_panic("Schannel without SIGN/SEAL"); ++ } ++ } else { ++ reason = "WITHOUT"; ++ } ++ + status = schannel_check_creds_state(mem_ctx, lp_ctx, + computer_name, received_authenticator, + return_authenticator, &creds); +@@ -1123,40 +1146,69 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { +- if (!schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) WITH schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); ++ status = NT_STATUS_OK; ++ ++ if (explicit_opt != NULL && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ + if (explicit_opt != NULL && !schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' not needed!?\n", +- log_escape(frame, creds->account_name)); ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); + } + + *creds_out = creds; + TALLOC_FREE(frame); +- return NT_STATUS_OK; ++ return status; + } + + if (schannel_required) { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' " +- "might be needed for a legacy client.\n", +- log_escape(frame, creds->account_name)); ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (explicit_opt != NULL) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (explicit_opt != NULL) { ++ D_NOTICE("CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2020-1472(ZeroLogon): Check if option " ++ "'server require schannel:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); +- return NT_STATUS_ACCESS_DENIED; ++ return status; + } + + if (!schannel_global_required && !warned_global_once) { +@@ -1169,26 +1221,43 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + warned_global_once = true; + } + ++ status = NT_STATUS_OK; ++ + if (explicit_opt != NULL) { +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_INFO("CVE-2020-1472(ZeroLogon): " +- "Option 'server require schannel:%s = no' still needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { +- DBG_ERR("CVE-2020-1472(ZeroLogon): " +- "%s request (opnum[%u]) without schannel from " +- "client_account[%s] client_computer_name[%s]\n", +- opname, opnum, +- log_escape(frame, creds->account_name), +- log_escape(frame, creds->computer_name)); +- DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " +- "'server require schannel:%s = no' might be needed!\n", +- log_escape(frame, creds->account_name)); ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n",
View file
_service:tar_scm_kernel_repo:backport-0033-CVE-2022-38023.patch
Added
@@ -0,0 +1,186 @@ +From 24d91b96790628ba864c67cca0b97b95ad7f9555 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Thu, 22 Dec 2022 11:42:51 +0100 +Subject: [PATCH 35/40] CVE-2022-38023 s3:rpc_server/netlogon: split out + netr_check_schannel() function + +This will allow us to reuse the function in other places. +As it will also get some additional checks soon. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 107 ++++++++++++-------- + 1 file changed, 62 insertions(+), 45 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index c9401499a9b..b254ca72a48 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1063,53 +1063,30 @@ NTSTATUS _netr_ServerAuthenticate2(struct pipes_struct *p, + /************************************************************************* + *************************************************************************/ + +-static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, +- TALLOC_CTX *mem_ctx, +- const char *computer_name, +- struct netr_Authenticator *received_authenticator, +- struct netr_Authenticator *return_authenticator, +- struct netlogon_creds_CredentialState **creds_out) ++static NTSTATUS netr_check_schannel(struct pipes_struct *p, ++ const struct netlogon_creds_CredentialState *creds, ++ enum dcerpc_AuthType auth_type, ++ enum dcerpc_AuthLevel auth_level, ++ uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; +- struct loadparm_context *lp_ctx; +- struct netlogon_creds_CredentialState *creds = NULL; +- int CVE_2020_1472_warn_level = DBGLVL_ERR; +- int CVE_2020_1472_error_level = DBGLVL_ERR; ++ int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; +- enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; +- enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; +- uint16_t opnum = p->opnum; + const char *opname = "<unknown>"; + const char *reason = "<unknown>"; + static bool warned_global_once = false; + +- if (creds_out != NULL) { +- *creds_out = NULL; +- } +- + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; + } + +- auth_type = p->auth.auth_type; +- auth_level = p->auth.auth_level; +- +- lp_ctx = loadparm_init_s3(frame, loadparm_s3_helpers()); +- if (lp_ctx == NULL) { +- DEBUG(0, ("loadparm_init_s3 failed\n")); +- TALLOC_FREE(frame); +- return NT_STATUS_INTERNAL_ERROR; +- } +- +- CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); +- CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL, +- "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); +- + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + if (auth_level == DCERPC_AUTH_LEVEL_PRIVACY) { + reason = "WITH SEALED"; +@@ -1122,15 +1099,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + reason = "WITHOUT"; + } + +- status = schannel_check_creds_state(mem_ctx, lp_ctx, +- computer_name, received_authenticator, +- return_authenticator, &creds); +- if (!NT_STATUS_IS_OK(status)) { +- ZERO_STRUCTP(return_authenticator); +- TALLOC_FREE(frame); +- return status; +- } +- + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1171,7 +1139,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return status; + } +@@ -1205,8 +1172,6 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + "might be needed for a legacy client.\n", + log_escape(frame, creds->account_name))); + } +- TALLOC_FREE(creds); +- ZERO_STRUCTP(return_authenticator); + TALLOC_FREE(frame); + return status; + } +@@ -1260,11 +1225,63 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, + log_escape(frame, creds->computer_name))); + } + +- *creds_out = creds; + TALLOC_FREE(frame); + return NT_STATUS_OK; + } + ++static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, ++ TALLOC_CTX *mem_ctx, ++ const char *computer_name, ++ struct netr_Authenticator *received_authenticator, ++ struct netr_Authenticator *return_authenticator, ++ struct netlogon_creds_CredentialState **creds_out) ++{ ++ struct loadparm_context *lp_ctx = NULL; ++ NTSTATUS status; ++ struct netlogon_creds_CredentialState *creds = NULL; ++ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; ++ enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; ++ uint16_t opnum = p->opnum; ++ ++ if (creds_out != NULL) { ++ *creds_out = NULL; ++ } ++ ++ auth_type = p->auth.auth_type; ++ auth_level = p->auth.auth_level; ++ ++ lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); ++ if (lp_ctx == NULL) { ++ DEBUG(0, ("loadparm_init_s3 failed\n")); ++ return NT_STATUS_INTERNAL_ERROR; ++ } ++ ++ status = schannel_check_creds_state(mem_ctx, ++ lp_ctx, ++ computer_name, ++ received_authenticator, ++ return_authenticator, ++ &creds); ++ TALLOC_FREE(lp_ctx); ++ if (!NT_STATUS_IS_OK(status)) { ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ opnum); ++ if (!NT_STATUS_IS_OK(status)) { ++ TALLOC_FREE(creds); ++ ZERO_STRUCTP(return_authenticator); ++ return status; ++ } ++ ++ *creds_out = creds; ++ return NT_STATUS_OK; ++} + + /************************************************************************* + *************************************************************************/ +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0034-CVE-2022-38023.patch
Added
@@ -0,0 +1,81 @@ +From ec1962e20deb4cbe95e861eb57107f08cb3a6de9 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Thu, 22 Dec 2022 09:29:04 +0100 +Subject: [PATCH 36/40] CVE-2022-38023 s3:rpc_server/netlogon: make sure all + dcesrv_netr_LogonSamLogon*() calls go through netr_check_schannel() + +We'll soon add some additional contraints in dcesrv_netr_check_schannel(), +which are also required for dcesrv_netr_LogonSamLogonEx(). + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 30 ++++++++++++++++----- + 1 file changed, 23 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index b254ca72a48..a66b929b479 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1771,6 +1771,8 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + struct auth_serversupplied_info *server_info = NULL; + struct auth_context *auth_context = NULL; + const char *fn; ++ enum dcerpc_AuthType auth_type = p->auth.auth_type; ++ enum dcerpc_AuthLevel auth_level = p->auth.auth_level; + + #ifdef DEBUG_PASSWORD + logon = netlogon_creds_shallow_copy_logon(p->mem_ctx, +@@ -1784,11 +1786,32 @@ static NTSTATUS _netr_LogonSamLogon_base(struct pipes_struct *p, + switch (p->opnum) { + case NDR_NETR_LOGONSAMLOGON: + fn = "_netr_LogonSamLogon"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONWITHFLAGS: + fn = "_netr_LogonSamLogonWithFlags"; ++ /* ++ * Already called netr_check_schannel() via ++ * netr_creds_server_step_check() ++ */ + break; + case NDR_NETR_LOGONSAMLOGONEX: ++ if (auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { ++ return NT_STATUS_ACCESS_DENIED; ++ } ++ ++ status = netr_check_schannel(p, ++ creds, ++ auth_type, ++ auth_level, ++ p->opnum); ++ if (NT_STATUS_IS_ERR(status)) { ++ return status; ++ } ++ + fn = "_netr_LogonSamLogonEx"; + break; + default: +@@ -2130,13 +2153,6 @@ NTSTATUS _netr_LogonSamLogonEx(struct pipes_struct *p, + return status; + } + +- /* Only allow this if the pipe is protected. */ +- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { +- DEBUG(0,("_netr_LogonSamLogonEx: client %s not using schannel for netlogon\n", +- get_remote_machine_name() )); +- return NT_STATUS_INVALID_PARAMETER; +- } +- + lp_ctx = loadparm_init_s3(p->mem_ctx, loadparm_s3_helpers()); + if (lp_ctx == NULL) { + DEBUG(0, ("loadparm_init_s3 failed\n")); +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0035-CVE-2022-38023.patch
Added
@@ -0,0 +1,92 @@ +From e46fdd96cf0cea2415e7dfd49d7f204c53bac762 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Wed, 4 Jan 2023 17:23:41 +0100 +Subject: [PATCH 37/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero <scabrero@suse.de> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index a66b929b479..b7c8e2c928e 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1071,9 +1071,10 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + { + TALLOC_CTX *frame = talloc_stackframe(); + NTSTATUS status; ++ const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +- const char *explicit_opt = NULL; ++ bool schannel_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, +@@ -1112,11 +1113,12 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (explicit_opt != NULL) { + schannel_required = lp_bool(explicit_opt); + } ++ schannel_explicitly_set = explicit_opt != NULL; + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + status = NT_STATUS_OK; + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); +@@ -1131,7 +1133,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL && !schannel_required) { ++ if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed for '%s'!\n", +@@ -1146,7 +1148,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + if (schannel_required) { + status = NT_STATUS_ACCESS_DENIED; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1160,7 +1162,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_NOTICE("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = yes' " + "rejects access for client.\n", +@@ -1188,7 +1190,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + + status = NT_STATUS_OK; + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } else { + dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level); +@@ -1203,7 +1205,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->computer_name), + nt_errstr(status))); + +- if (explicit_opt != NULL) { ++ if (schannel_explicitly_set) { + D_INFO("CVE-2020-1472(ZeroLogon): Option " + "'server require schannel:%s = no' " + "still needed for '%s'!\n", +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0036-CVE-2022-38023.patch
Added
@@ -0,0 +1,62 @@ +From b0ecb8aebf814b339afe1d2843ef53ece5cb4c9d Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Wed, 4 Jan 2023 17:39:20 +0100 +Subject: [PATCH 38/40] CVE-2022-38023 s3:rpc_server/netlogon: Return error on + invalid auth level + +Signed-off-by: Samuel Cabrero <scabrero@suse.de> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 23 +++++++++++++++++++-- + 1 file changed, 21 insertions(+), 2 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index b7c8e2c928e..5f89e945f9c 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1070,7 +1070,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + uint16_t opnum) + { + TALLOC_CTX *frame = talloc_stackframe(); +- NTSTATUS status; ++ NTSTATUS status = NT_STATUS_MORE_PROCESSING_REQUIRED; + const char *explicit_opt = NULL; + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; +@@ -1094,12 +1094,31 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) { + reason = "WITH SIGNED"; + } else { +- smb_panic("Schannel without SIGN/SEAL"); ++ reason = "WITH INVALID"; ++ dbg_lvl = DBGLVL_ERR; ++ status = NT_STATUS_INTERNAL_ERROR; + } + } else { + reason = "WITHOUT"; + } + ++ if (!NT_STATUS_EQUAL(status, NT_STATUS_MORE_PROCESSING_REQUIRED)) { ++ if (!NT_STATUS_IS_OK(status)) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0037-CVE-2022-38023.patch
Added
@@ -0,0 +1,47 @@ +From 037606c112ae4d1025708d2d12898e73359f0c54 Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Wed, 4 Jan 2023 17:42:37 +0100 +Subject: [PATCH 39/40] CVE-2022-38023 s3:rpc_server/netlogon: Rename variable + +This will simplify the following changes. + +Signed-off-by: Samuel Cabrero <scabrero@samba.org> + +Conflict: NA +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + source3/rpc_server/netlogon/srv_netlog_nt.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index 5f89e945f9c..f238d7ce42b 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1082,7 +1082,7 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = "<unknown>"; + const char *reason = "<unknown>"; +- static bool warned_global_once = false; ++ static bool warned_global_schannel_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1197,14 +1197,14 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + +- if (!schannel_global_required && !warned_global_once) { ++ if (!schannel_global_required && !warned_global_schannel_once) { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes', " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); +- warned_global_once = true; ++ warned_global_schannel_once = true; + } + + status = NT_STATUS_OK; +-- +2.39.0
View file
_service:tar_scm_kernel_repo:backport-0038-CVE-2022-38023.patch
Added
@@ -0,0 +1,354 @@ +From fba17d9f8e6437fc675608c0507d6a00f830aaea Mon Sep 17 00:00:00 2001 +From: Samuel Cabrero <scabrero@suse.de> +Date: Wed, 4 Jan 2023 17:50:04 +0100 +Subject: [PATCH 40/40] CVE-2022-38023 s3:rpc_server/netlogon: implement + "server schannel require seal[:COMPUTERACCOUNT]" + +By default we'll now require schannel connections with +privacy/sealing/encryption. + +But we allow exceptions for specific computer/trust accounts. + +BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240 + +Signed-off-by: Samuel Cabrero <scabrero@suse.de> + +Conflict: remove selftest/target/Samba3.pm +Reference: https://attachments.samba.org/attachment.cgi?id=17736 +--- + selftest/target/Samba3.pm | 14 ++ + source3/rpc_server/netlogon/srv_netlog_nt.c | 237 +++++++++++++++++++- + 2 files changed, 249 insertions(+), 2 deletions(-) + +diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c +index f238d7ce42b..df305e94479 100644 +--- a/source3/rpc_server/netlogon/srv_netlog_nt.c ++++ b/source3/rpc_server/netlogon/srv_netlog_nt.c +@@ -1075,14 +1075,22 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + bool schannel_explicitly_set = false; ++ bool seal_global_required = (lp_server_schannel_require_seal() == true) ? true:false; ++ bool seal_required = seal_global_required; ++ bool seal_explicitly_set = false; + int CVE_2020_1472_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR); + int CVE_2020_1472_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, + "CVE_2020_1472", "error_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_warn_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR); ++ int CVE_2022_38023_error_level = lp_parm_int(GLOBAL_SECTION_SNUM, ++ "CVE_2022_38023", "error_debug_level", DBGLVL_ERR); + unsigned int dbg_lvl = DBGLVL_DEBUG; + const char *opname = "<unknown>"; + const char *reason = "<unknown>"; + static bool warned_global_schannel_once = false; ++ static bool warned_global_seal_once = false; + + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; +@@ -1119,6 +1127,20 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + return status; + } + ++ /* ++ * We don't use lp_parm_bool(), as we ++ * need the explicit_opt pointer in order to ++ * adjust the debug messages. ++ */ ++ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, ++ "server schannel require seal", ++ creds->account_name, ++ NULL); ++ if (explicit_opt != NULL) { ++ seal_required = lp_bool(explicit_opt); ++ } ++ seal_explicitly_set = explicit_opt != NULL; ++ + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to +@@ -1134,7 +1156,96 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } + schannel_explicitly_set = explicit_opt != NULL; + ++ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL && ++ auth_level == DCERPC_AUTH_LEVEL_PRIVACY) ++ { ++ status = NT_STATUS_OK; ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level); ++ } else if (!schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): " ++ "Option 'server require schannel:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ if (seal_explicitly_set && !seal_required) { ++ DEBUG(CVE_2022_38023_warn_level, ( ++ "CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { ++ if (seal_required) { ++ status = NT_STATUS_ACCESS_DENIED; ++ ++ if (seal_explicitly_set) { ++ dbg_lvl = DBGLVL_NOTICE; ++ } else { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level); ++ } ++ ++ DEBUG(dbg_lvl, ( ++ "CVE-2022-38023: " ++ "%s request (opnum[%u]) %s schannel from " ++ "from client_account[%s] client_computer_name[%s] %s\n", ++ opname, opnum, reason, ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name), ++ nt_errstr(status))); ++ if (seal_explicitly_set) { ++ D_NOTICE("CVE-2022-38023: Option " ++ "'server schannel require seal:%s = yes' " ++ "rejects access for client.\n", ++ log_escape(frame, creds->account_name)); ++ } else { ++ DEBUG(CVE_2020_1472_error_level, ( ++ "CVE-2022-38023: Check if option " ++ "'server schannel require seal:%s = no' " ++ "might be needed for a legacy client.\n", ++ log_escape(frame, creds->account_name))); ++ } ++ if (schannel_explicitly_set && !schannel_required) { ++ DEBUG(CVE_2020_1472_warn_level, ( ++ "CVE-2020-1472(ZeroLogon): Option " ++ "'server require schannel:%s = no' " ++ "not needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name))); ++ } ++ TALLOC_FREE(frame); ++ return status; ++ } ++ + status = NT_STATUS_OK; + + if (schannel_explicitly_set && !schannel_required) { +@@ -1142,6 +1253,11 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + } else if (!schannel_required) { + dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); + } ++ if (seal_explicitly_set && !seal_required) { ++ dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO); ++ } else if (!seal_required) { ++ dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level); ++ } + + DEBUG(dbg_lvl, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1151,7 +1267,6 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name), + nt_errstr(status))); +- + if (schannel_explicitly_set && !schannel_required) { + DEBUG(CVE_2020_1472_warn_level, ( + "CVE-2020-1472(ZeroLogon): " +@@ -1159,7 +1274,77 @@ static NTSTATUS netr_check_schannel(struct pipes_struct *p, + log_escape(frame, creds->account_name), + log_escape(frame, creds->computer_name))); + } ++ if (seal_explicitly_set && !seal_required) { ++ D_INFO("CVE-2022-38023: " ++ "Option 'server schannel require seal:%s = no' still needed for '%s'!\n", ++ log_escape(frame, creds->account_name), ++ log_escape(frame, creds->computer_name)); ++ } else if (!seal_required) { ++ /* ++ * admins should set
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.