[SCM] Samba Shared Repository - branch v4-16-test updated

Jule Anger janger at samba.org
Mon Jan 23 11:00:02 UTC 2023


The branch, v4-16-test has been updated
       via  eddd14cedbf lib/replace - add extra check to bsd_attr_list
       via  11896049957 s3: smbd: Always use metadata_fsp() when processing fsctls.
       via  c6733cbe872 s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
       via  44ec3e4f292 s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
       via  02e56ac1bb5 CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
       via  3e7bbe047fe CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server.
       via  55900577757 CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
       via  7f4f9a3277b CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
       via  080ff2cd284 CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
       via  0d27e4b4598 CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
       via  538dcc38faa CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
       via  71b22920a6c CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
       via  cc787d0becb CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
      from  7b49569afcb s4: libcli: Ignore errors when getting A records after fetching AAAA records.

https://git.samba.org/?p=samba.git;a=shortlog;h=v4-16-test


- Log -----------------------------------------------------------------
commit eddd14cedbf6cc0a8c32f0e00e138c94aa941541
Author: Andrew Walker <awalker at ixsystems.com>
Date:   Tue Dec 27 10:59:14 2022 -0500

    lib/replace - add extra check to bsd_attr_list
    
    The FreeBSD extattr API may return success and truncated
    namelist. We need to check for this in bsd_attr_list to
    ensure that we don't accidentally read off the end of the
    buffer. In the case of a truncated value, the pascal
    strings for attr names will reflect the lengths as if
    the value were not truncated. For example:
    `58DosStrea`
    
    In case of short read we now set error to ERANGE and
    fail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15271
    
    Signed-off-by: Andrew Walker <awalker at ixsystems.com>
    Reviewed-by: Ralph Boehme <slow at samba.org>
    
    Autobuild-User(master): Ralph Böhme <slow at samba.org>
    Autobuild-Date(master): Mon Jan  2 14:27:23 UTC 2023 on sn-devel-184
    
    (cherry picked from commit 01cdc5e00be78a51f0766634cc7fe50de2088203)
    
    Autobuild-User(v4-16-test): Jule Anger <janger at samba.org>
    Autobuild-Date(v4-16-test): Mon Jan 23 10:59:28 UTC 2023 on sn-devel-184

commit 1189604995793b1b5345ffad570688388f9248a8
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Nov 10 14:43:15 2022 -0800

    s3: smbd: Always use metadata_fsp() when processing fsctls.
    
    Currently all fsctls we implement need the base fsp, not
    an alternate data stream fsp. We may revisit this later
    if we implement fsctls that operate on an ADS.
    
    Remove knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
    
    Signed-off-by: Jeremy Allison <jra at samba.org>
    Reviewed-by: Andrew Walker <awalker at ixsystems.com>
    
    Autobuild-User(master): Jeremy Allison <jra at samba.org>
    Autobuild-Date(master): Mon Nov 14 18:13:31 UTC 2022 on sn-devel-184
    
    (cherry picked from commit fa4eba131b882c3858b28f5fd9864998e19a4510)

commit c6733cbe872d07825033b084a0f0cb9240459872
Author: Jeremy Allison <jra at samba.org>
Date:   Thu Nov 10 14:41:15 2022 -0800

    s3: smbd: Add test to show smbd crashes when doing an FSCTL on a named stream handle.
    
    Add knownfail.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15236
    
    Signed-off-by: Andrew Walker <awalker at ixsystems.com>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (back-ported from commit abc4495e4591964bb4625c2669a1f84213faab77)

commit 44ec3e4f29208406ae6f73416b092d8754adfb0b
Author: Stefan Metzmacher <metze at samba.org>
Date:   Thu Dec 16 18:24:16 2021 +0100

    s3:auth: call wbcFreeMemory(info) in auth3_generate_session_info_pac()
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15286
    
    Signed-off-by: Stefan Metzmacher <metze at samba.org>
    Reviewed-by: Jeremy Allison <jra at samba.org>
    (cherry picked from commit e27084f5d8c3a151c5d0b266118f0d71b641dc85)

commit 02e56ac1bb5c97e10b57c76c0f14fc9b3b06779d
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 16:32:40 2022 +0100

    CVE-2022-38023 s3:rpc_server/netlogon: Avoid unnecessary loadparm_context allocations
    
    After s3 and s4 rpc servers merge the loadparm_context is available in
    the dcesrv_context structure.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    
    Autobuild-User(master): Andreas Schneider <asn at cryptomilk.org>
    Autobuild-Date(master): Mon Jan  9 15:17:14 UTC 2023 on sn-devel-184
    
    (cherry picked from commit 56837f3d3169a02d0d92bd085d9c8250415ce29b)

commit 3e7bbe047fef8e5f907d1b3725f1d0d40996fbd1
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Mon Jan 9 12:17:48 2023 +0100

    CVE-2022-38023 docs-xml/smbdotconf: The "server schannel require seal[:COMPUTERACCOUNT]" options are also honoured by s3 netlogon server.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 02fba22b8c9e9b33ab430555ef45500c45eaa9d1)

commit 55900577757019bbdf16128cf0d7cee356770247
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 11:05:33 2022 +0100

    CVE-2022-38023 s3:rpc_server/netlogon: Check for global "server schannel require seal"
    
    By default we'll now require schannel connections with privacy/sealing/encryption.
    
    But we allow exceptions for specific computer/trust accounts.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit a0b97e262318dc56fe663da89b0ee3172b2e7848)

commit 7f4f9a3277b28b85c5d280775f9f3571c77f1c07
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 09:29:04 2022 +0100

    CVE-2022-38023 s3:rpc_server/netlogon: make sure all _netr_LogonSamLogon*() calls go through dcesrv_netr_check_schannel()
    
    Some checks are also required for _netr_LogonSamLogonEx().
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit ca07f4340ce58a7e940a1123888b7409176412f7)

commit 080ff2cd28481f39552571c30b23ec3d08811b7b
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 16:30:26 2022 +0100

    CVE-2022-38023 s3:rpc_server/netlogon: Use dcesrv_netr_creds_server_step_check()
    
    After s3 and s4 rpc servers merge we can avoid duplicated code.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 25300d354c80995997d552581cd91dddaf4bbf48)

commit 0d27e4b4598b1d8f3cb8852c2104d201aacebac1
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 14:03:23 2022 +0100

    CVE-2022-38023 s4:rpc_server/netlogon: Move schannel and credentials check functions to librpc
    
    Will be used later by s3 netlogon server.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 121e7b0e39478c5291100652ac92c263f406076b)

commit 538dcc38faab4dd6f4568022ebb0b3d92d1c6f33
Author: Samuel Cabrero <scabrero at samba.org>
Date:   Thu Jan 5 18:13:09 2023 +0100

    CVE-2022-38023 s4:rpc_server:wscript: Reformat following pycodestyle
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit d9e6b490db3ead7e79bb3ff0c1f9ef8ab8bdc65b)

commit 71b22920a6c4118d3bc62d1582bdeab33f9e5656
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Thu Dec 22 16:46:15 2022 +0100

    CVE-2022-38023 selftest:Samba3: avoid global 'server schannel = auto'
    
    Instead of using the generic deprecated option use the specific
    server require schannel:COMPUTERACCOUNT = no in order to allow
    legacy tests for pass.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 3cd18690f83d2f85e847fc703ac127b4b04189fc)

commit cc787d0becb06fb0aac01c8464f6b53188385aea
Author: Samuel Cabrero <scabrero at suse.de>
Date:   Wed Dec 21 15:53:04 2022 +0100

    CVE-2022-38023 s3:rpc_server/netlogon: 'server schannel != yes' warning to dcesrv_interface_netlogon_bind
    
    Follow s4 netlogon server changes and move the checks to the RPC bind
    hook. Next commits will remove the s3 netr_creds_server_step_check()
    function.
    
    BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
    
    Signed-off-by: Samuel Cabrero <scabrero at samba.org>
    Reviewed-by: Andreas Schneider <asn at samba.org>
    (cherry picked from commit 8141eae47aad849741beb138fae866c772e4ec4c)

-----------------------------------------------------------------------

Summary of changes:
 .../security/serverschannelrequireseal.xml         |   5 +-
 lib/replace/xattr.c                                |  12 +
 librpc/rpc/server/netlogon/schannel_util.c         | 570 +++++++++++++++++++++
 librpc/rpc/server/netlogon/schannel_util.h         |  54 ++
 librpc/wscript_build                               |  12 +
 selftest/knownfail                                 |   1 +
 selftest/target/Samba3.pm                          |  30 +-
 source3/auth/auth_generic.c                        |   1 +
 source3/modules/vfs_default.c                      |   8 +-
 source3/rpc_server/netlogon/srv_netlog_nt.c        | 318 ++++--------
 source3/rpc_server/wscript_build                   |   2 +-
 source3/selftest/tests.py                          |   2 +
 source4/rpc_server/netlogon/dcerpc_netlogon.c      | 546 +-------------------
 source4/rpc_server/wscript_build                   | 292 ++++++-----
 source4/torture/smb2/ioctl.c                       |  74 +++
 source4/torture/smb2/smb2.c                        |   2 +
 16 files changed, 1050 insertions(+), 879 deletions(-)
 create mode 100644 librpc/rpc/server/netlogon/schannel_util.c
 create mode 100644 librpc/rpc/server/netlogon/schannel_util.h


Changeset truncated at 500 lines:

diff --git a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
index d4620d1252d..0bec67d2519 100644
--- a/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
+++ b/docs-xml/smbdotconf/security/serverschannelrequireseal.xml
@@ -12,9 +12,8 @@
 	</para>
 
 	<para>
-	This option controls whether the netlogon server (currently
-	only in 'active directory domain controller' mode), will
-	reject the usage of netlogon secure channel without privacy/enryption.
+	This option controls whether the netlogon server, will reject the usage
+	of netlogon secure channel without privacy/enryption.
 	</para>
 
 	<para>
diff --git a/lib/replace/xattr.c b/lib/replace/xattr.c
index 01215f1a9f3..8b93e675403 100644
--- a/lib/replace/xattr.c
+++ b/lib/replace/xattr.c
@@ -266,6 +266,18 @@ static ssize_t bsd_attr_list (int type, extattr_arg arg, char *list, size_t size
 
 		for(i = 0; i < list_size; i += len + 1) {
 			len = buf[i];
+
+			/*
+			 * If for some reason we receive a truncated
+			 * return from call to list xattrs the pascal
+			 * string lengths will not be changed and
+			 * therefore we must check that we're not
+			 * reading garbage data or off end of array
+			 */
+			if (len + i >= list_size) {
+				errno = ERANGE;
+				return -1;
+			}
 			strncpy(list, extattr[t].name, extattr[t].len + 1);
 			list += extattr[t].len;
 			strncpy(list, buf + i + 1, len);
diff --git a/librpc/rpc/server/netlogon/schannel_util.c b/librpc/rpc/server/netlogon/schannel_util.c
new file mode 100644
index 00000000000..b14497b13ce
--- /dev/null
+++ b/librpc/rpc/server/netlogon/schannel_util.c
@@ -0,0 +1,570 @@
+/*
+   Unix SMB/CIFS implementation.
+
+   netlogon schannel utility functions
+
+   Copyright (C) Andrew Bartlett <abartlet at samba.org> 2004-2008
+   Copyright (C) Stefan Metzmacher <metze at samba.org>  2005
+   Copyright (C) Matthias Dieter Wallnöfer            2009-2010
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 3 of the License, or
+   (at your option) any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program.  If not, see <http://www.gnu.org/licenses/>.
+*/
+
+#include "includes.h"
+#include "schannel_util.h"
+#include "param/param.h"
+#include "libcli/security/dom_sid.h"
+#include "libcli/auth/schannel.h"
+#include "librpc/rpc/dcesrv_core.h"
+#include "librpc/gen_ndr/ndr_netlogon.h"
+#include "lib/util/util_str_escape.h"
+
+struct dcesrv_netr_check_schannel_state {
+	struct dom_sid account_sid;
+	enum dcerpc_AuthType auth_type;
+	enum dcerpc_AuthLevel auth_level;
+
+	bool schannel_global_required;
+	bool schannel_required;
+	bool schannel_explicitly_set;
+
+	bool seal_global_required;
+	bool seal_required;
+	bool seal_explicitly_set;
+
+	NTSTATUS result;
+};
+
+static NTSTATUS dcesrv_netr_check_schannel_get_state(struct dcesrv_call_state *dce_call,
+						     const struct netlogon_creds_CredentialState *creds,
+						     enum dcerpc_AuthType auth_type,
+						     enum dcerpc_AuthLevel auth_level,
+						     struct dcesrv_netr_check_schannel_state **_s)
+{
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	int schannel = lpcfg_server_schannel(lp_ctx);
+	bool schannel_global_required = (schannel == true);
+	bool schannel_required = schannel_global_required;
+	const char *explicit_opt = NULL;
+	bool global_require_seal = lpcfg_server_schannel_require_seal(lp_ctx);
+	bool require_seal = global_require_seal;
+	const char *explicit_seal_opt = NULL;
+#define DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC (NETLOGON_SERVER_PIPE_STATE_MAGIC+1)
+	struct dcesrv_netr_check_schannel_state *s = NULL;
+	NTSTATUS status;
+
+	*_s = NULL;
+
+	s = dcesrv_iface_state_find_conn(dce_call,
+			DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+			struct dcesrv_netr_check_schannel_state);
+	if (s != NULL) {
+		if (!dom_sid_equal(&s->account_sid, creds->sid)) {
+			goto new_state;
+		}
+		if (s->auth_type != auth_type) {
+			goto new_state;
+		}
+		if (s->auth_level != auth_level) {
+			goto new_state;
+		}
+
+		*_s = s;
+		return NT_STATUS_OK;
+	}
+
+new_state:
+	TALLOC_FREE(s);
+	s = talloc_zero(dce_call,
+			struct dcesrv_netr_check_schannel_state);
+	if (s == NULL) {
+		return NT_STATUS_NO_MEMORY;
+	}
+
+	s->account_sid = *creds->sid;
+	s->auth_type = auth_type;
+	s->auth_level = auth_level;
+	s->result = NT_STATUS_MORE_PROCESSING_REQUIRED;
+
+	/*
+	 * We don't use lpcfg_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+	explicit_seal_opt = lpcfg_get_parametric(lp_ctx,
+						 NULL,
+						 "server schannel require seal",
+						 creds->account_name);
+	if (explicit_seal_opt != NULL) {
+		require_seal = lp_bool(explicit_seal_opt);
+	}
+
+	/*
+	 * We don't use lpcfg_parm_bool(), as we
+	 * need the explicit_opt pointer in order to
+	 * adjust the debug messages.
+	 */
+	explicit_opt = lpcfg_get_parametric(lp_ctx,
+					    NULL,
+					    "server require schannel",
+					    creds->account_name);
+	if (explicit_opt != NULL) {
+		schannel_required = lp_bool(explicit_opt);
+	}
+
+	s->schannel_global_required = schannel_global_required;
+	s->schannel_required = schannel_required;
+	s->schannel_explicitly_set = explicit_opt != NULL;
+
+	s->seal_global_required = global_require_seal;
+	s->seal_required = require_seal;
+	s->seal_explicitly_set = explicit_seal_opt != NULL;
+
+	status = dcesrv_iface_state_store_conn(dce_call,
+			DCESRV_NETR_CHECK_SCHANNEL_STATE_MAGIC,
+			s);
+	if (!NT_STATUS_IS_OK(status)) {
+		return status;
+	}
+
+	*_s = s;
+	return NT_STATUS_OK;
+}
+
+static NTSTATUS dcesrv_netr_check_schannel_once(struct dcesrv_call_state *dce_call,
+						struct dcesrv_netr_check_schannel_state *s,
+						const struct netlogon_creds_CredentialState *creds,
+						uint16_t opnum)
+{
+	struct loadparm_context *lp_ctx = dce_call->conn->dce_ctx->lp_ctx;
+	int CVE_2020_1472_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2020_1472_error_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2020_1472", "error_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_warn_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2022_38023", "warn_about_unused_debug_level", DBGLVL_ERR);
+	int CVE_2022_38023_error_level = lpcfg_parm_int(lp_ctx, NULL,
+		"CVE_2022_38023", "error_debug_level", DBGLVL_ERR);
+	TALLOC_CTX *frame = talloc_stackframe();
+	unsigned int dbg_lvl = DBGLVL_DEBUG;
+	const char *opname = "<unknown>";
+	const char *reason = "<unknown>";
+
+	if (opnum < ndr_table_netlogon.num_calls) {
+		opname = ndr_table_netlogon.calls[opnum].name;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY) {
+			reason = "WITH SEALED";
+		} else if (s->auth_level == DCERPC_AUTH_LEVEL_INTEGRITY) {
+			reason = "WITH SIGNED";
+		} else {
+			reason = "WITH INVALID";
+			dbg_lvl = DBGLVL_ERR;
+			s->result = NT_STATUS_INTERNAL_ERROR;
+		}
+	} else {
+		reason = "WITHOUT";
+	}
+
+	if (!NT_STATUS_EQUAL(s->result, NT_STATUS_MORE_PROCESSING_REQUIRED)) {
+		if (!NT_STATUS_IS_OK(s->result)) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL &&
+	    s->auth_level == DCERPC_AUTH_LEVEL_PRIVACY)
+	{
+		s->result = NT_STATUS_OK;
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+		if (s->seal_explicitly_set && !s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+		} else if (!s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			DEBUG(CVE_2020_1472_warn_level, (
+			      "CVE-2020-1472(ZeroLogon): "
+			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		if (s->seal_explicitly_set && !s->seal_required) {
+			DEBUG(CVE_2022_38023_warn_level, (
+			      "CVE-2022-38023: "
+			      "Option 'server schannel require seal:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+		if (s->seal_required) {
+			s->result = NT_STATUS_ACCESS_DENIED;
+
+			if (s->seal_explicitly_set) {
+				dbg_lvl = DBGLVL_NOTICE;
+			} else {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+			}
+			if (s->schannel_explicitly_set && !s->schannel_required) {
+				dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_warn_level);
+			}
+
+			DEBUG(dbg_lvl, (
+			      "CVE-2022-38023: "
+			      "%s request (opnum[%u]) %s schannel from "
+			      "from client_account[%s] client_computer_name[%s] %s\n",
+			      opname, opnum, reason,
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name),
+			      nt_errstr(s->result)));
+			if (s->seal_explicitly_set) {
+				D_NOTICE("CVE-2022-38023: Option "
+					 "'server schannel require seal:%s = yes' "
+					 "rejects access for client.\n",
+					 log_escape(frame, creds->account_name));
+			} else {
+				DEBUG(CVE_2020_1472_error_level, (
+				      "CVE-2022-38023: Check if option "
+				      "'server schannel require seal:%s = no' "
+				      "might be needed for a legacy client.\n",
+				      log_escape(frame, creds->account_name)));
+			}
+			if (s->schannel_explicitly_set && !s->schannel_required) {
+				DEBUG(CVE_2020_1472_warn_level, (
+				      "CVE-2020-1472(ZeroLogon): Option "
+				      "'server require schannel:%s = no' "
+				      "not needed for '%s'!\n",
+				      log_escape(frame, creds->account_name),
+				      log_escape(frame, creds->computer_name)));
+			}
+			TALLOC_FREE(frame);
+			return s->result;
+		}
+
+		s->result = NT_STATUS_OK;
+
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_warn_level);
+		} else if (!s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		}
+		if (s->seal_explicitly_set && !s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+		} else if (!s->seal_required) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon): "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+		if (s->schannel_explicitly_set && !s->schannel_required) {
+			DEBUG(CVE_2020_1472_warn_level, (
+			      "CVE-2020-1472(ZeroLogon): "
+			      "Option 'server require schannel:%s = no' not needed for '%s'!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+		if (s->seal_explicitly_set && !s->seal_required) {
+			D_INFO("CVE-2022-38023: "
+			       "Option 'server schannel require seal:%s = no' still needed for '%s'!\n",
+			       log_escape(frame, creds->account_name),
+			       log_escape(frame, creds->computer_name));
+		} else if (!s->seal_required) {
+			/*
+			 * admins should set
+			 * server schannel require seal:COMPUTER$ = no
+			 * in order to avoid the level 0 messages.
+			 * Over time they can switch the global value
+			 * to be strict.
+			 */
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: "
+			      "Please use 'server schannel require seal:%s = no' "
+			      "for '%s' to avoid this warning!\n",
+			      log_escape(frame, creds->account_name),
+			      log_escape(frame, creds->computer_name)));
+		}
+
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->seal_required) {
+		s->result = NT_STATUS_ACCESS_DENIED;
+
+		if (s->seal_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		} else {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+		if (!s->schannel_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+		} else if (s->schannel_required) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "from client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+		if (s->seal_explicitly_set) {
+			D_NOTICE("CVE-2022-38023: Option "
+			         "'server schannel require seal:%s = yes' "
+			         "rejects access for client.\n",
+			         log_escape(frame, creds->account_name));
+		} else {
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: Check if option "
+			      "'server schannel require seal:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+		if (!s->schannel_explicitly_set) {
+			DEBUG(CVE_2020_1472_error_level, (
+			      "CVE-2020-1472(ZeroLogon): Check if option "
+			      "'server require schannel:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		} else if (s->schannel_required) {
+			D_NOTICE("CVE-2022-38023: Option "
+			         "'server require schannel:%s = yes' "
+			         "also rejects access for client.\n",
+			         log_escape(frame, creds->account_name));
+		}
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	if (s->schannel_required) {
+		s->result = NT_STATUS_ACCESS_DENIED;
+
+		if (s->schannel_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, DBGLVL_NOTICE);
+		} else {
+			dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+		}
+		if (!s->seal_explicitly_set) {
+			dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+		}
+
+		DEBUG(dbg_lvl, (
+		      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+		      "%s request (opnum[%u]) %s schannel from "
+		      "client_account[%s] client_computer_name[%s] %s\n",
+		      opname, opnum, reason,
+		      log_escape(frame, creds->account_name),
+		      log_escape(frame, creds->computer_name),
+		      nt_errstr(s->result)));
+		if (s->schannel_explicitly_set) {
+			D_NOTICE("CVE-2020-1472(ZeroLogon): Option "
+				"'server require schannel:%s = yes' "
+				"rejects access for client.\n",
+				log_escape(frame, creds->account_name));
+		} else {
+			DEBUG(CVE_2020_1472_error_level, (
+			      "CVE-2020-1472(ZeroLogon): Check if option "
+			      "'server require schannel:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+		if (!s->seal_explicitly_set) {
+			DEBUG(CVE_2022_38023_error_level, (
+			      "CVE-2022-38023: Check if option "
+			      "'server schannel require seal:%s = no' "
+			      "might be needed for a legacy client.\n",
+			      log_escape(frame, creds->account_name)));
+		}
+		TALLOC_FREE(frame);
+		return s->result;
+	}
+
+	s->result = NT_STATUS_OK;
+
+	if (s->seal_explicitly_set) {
+		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+	} else {
+		dbg_lvl = MIN(dbg_lvl, CVE_2022_38023_error_level);
+	}
+
+	if (s->schannel_explicitly_set) {
+		dbg_lvl = MIN(dbg_lvl, DBGLVL_INFO);
+	} else {
+		dbg_lvl = MIN(dbg_lvl, CVE_2020_1472_error_level);
+	}
+
+	DEBUG(dbg_lvl, (
+	      "CVE-2020-1472(ZeroLogon)/CVE-2022-38023: "
+	      "%s request (opnum[%u]) %s schannel from "
+	      "client_account[%s] client_computer_name[%s] %s\n",
+	      opname, opnum, reason,
+	      log_escape(frame, creds->account_name),
+	      log_escape(frame, creds->computer_name),


-- 
Samba Shared Repository



More information about the samba-cvs mailing list