The branch, v4-11-stable has been updated
via ef64fc24b31 VERSION: Disable GIT_SNAPSHOT for the 4.11.13 release.
via e7dd032e320 WHATSNEW: Add release notes for Samba 4.11.13.
via db344db0efb CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated
bytes in client challenge
via 337e4da4daa CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty
machine acct pwd
via 572a41b24e7 CVE-2020-1472(ZeroLogon): docs-xml: document 'server
require schannel:COMPUTERACCOUNT'
via 86c54d3a270 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log
warnings about unsecure configurations
via 615cc75074b CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
via 5ee9480a898 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
via c836fc24b9c CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log
warnings about unsecure configurations
via 92d7e9f7f92 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
support "server require schannel:WORKSTATION$ = no"
via f867164dc57 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
refactor dcesrv_netr_creds_server_step_check()
via 0da2f3e2455 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
via d5926ad40ff CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix
mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2().
via 9b174d71541 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon:
protect netr_ServerPasswordSet2 against unencrypted passwords
via fd05519caa2 CVE-2020-1472(ZeroLogon): libcli/auth: reject weak
client challenges in netlogon_creds_server_init()
via 13185dd8356 CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_is_random_challenge() to avoid weak values
via 35277995d39 CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make
use of netlogon_creds_random_challenge()
via a71bc6c974d CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make
use of netlogon_creds_random_challenge()
via f7b0e7a6dde CVE-2020-1472(ZeroLogon): libcli/auth: make use of
netlogon_creds_random_challenge() in netlogon_creds_cli.c
via 691d854c141 CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
netlogon_creds_random_challenge()
via 6941fa1ff83 CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_random_challenge()
via 7cfb6f6db61 VERSION: Bump version up to 4.11.13...
from 1bd81cac381 VERSION: Disable GIT_SNAPSHOT for the 4.11.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable
- Log -----------------------------------------------------------------
commit ef64fc24b31f057bd344e7135d32732c8b3057e2
Author: Karolin Seeger <ksee...@samba.org>
Date: Fri Sep 18 12:58:56 2020 +0200
VERSION: Disable GIT_SNAPSHOT for the 4.11.13 release.
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit e7dd032e320ae47d48b1062b7baa09dfe19a5967
Author: Karolin Seeger <ksee...@samba.org>
Date: Fri Sep 18 12:56:10 2020 +0200
WHATSNEW: Add release notes for Samba 4.11.13.
CVE-2020-1472: Samba impact of "ZeroLogon".
Signed-off-by: Karolin Seeger <ksee...@samba.org>
commit db344db0efb0eff16211e6bb7dbf02501278c890
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Fri Sep 18 15:57:34 2020 +1200
CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge
Ensure that client challenges with the first 5 bytes identical are
rejected.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
[abart...@samba.org: backported from master as test order was flipped]
commit 337e4da4daa564f90bfcde1bd8a30cb269fd54a9
Author: Gary Lockyer <g...@catalyst.net.nz>
Date: Fri Sep 18 12:39:54 2020 +1200
CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd
Ensure that an empty machine account password can't be set by
netr_ServerPasswordSet2
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Gary Lockyer <g...@catalyst.net.nz>
commit 572a41b24e7cb1b7d52f4021e0fef257cc0563eb
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Sep 17 17:27:54 2020 +0200
CVE-2020-1472(ZeroLogon): docs-xml: document 'server require
schannel:COMPUTERACCOUNT'
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 86c54d3a270ab984bfc7c7c0cc334210ed7956ce
Author: Günther Deschner <g...@samba.org>
Date: Thu Sep 17 14:42:52 2020 +0200
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about
unsecure configurations
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Günther Deschner <g...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 615cc75074b0f51734da261dc9b57ad209780e13
Author: Günther Deschner <g...@samba.org>
Date: Thu Sep 17 14:23:16 2020 +0200
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require
schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using
"server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Günther Deschner <g...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 5ee9480a89860d6906710fac39067e7d9db14feb
Author: Günther Deschner <g...@samba.org>
Date: Thu Sep 17 14:57:22 2020 +0200
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor
dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Günther Deschner <g...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit c836fc24b9c11752581ac9d314ecdde80588aba2
Author: Stefan Metzmacher <me...@samba.org>
Date: Thu Sep 17 13:37:26 2020 +0200
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about
unsecure configurations
This should give admins wawrnings until they have a secure
configuration.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
Reviewed-by: Ralph Boehme <s...@samba.org>
Reviewed-by: Günther Deschner <g...@samba.org>
commit 92d7e9f7f92f1ff225cd52fb24242a0f5d8f1d3d
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 10:56:53 2020 +0200
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require
schannel:WORKSTATION$ = no"
This allows to add expections for individual workstations, when using
"server schannel = yes".
"server schannel = auto" is very insecure and will be removed soon.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit f867164dc57b85c3c69b08be51c64aa430a23b2e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 10:18:45 2020 +0200
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor
dcesrv_netr_creds_server_step_check()
We should debug more details about the failing request.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 0da2f3e2455999cc30761a40715a1f1a88e1b725
Author: Jeremy Allison <j...@samba.org>
Date: Wed Sep 16 12:53:50 2020 -0700
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect
netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Pair-Programmed-With: Stefan Metzmacher <me...@samba.org>
Signed-off-by: Jeremy Allison <j...@samba.org>
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit d5926ad40ffc31a9b0f6e2cb66d47aa58e1e5e4e
Author: Jeremy Allison <j...@samba.org>
Date: Wed Sep 16 12:48:21 2020 -0700
CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix mem leak onto
p->mem_ctx in error path of _netr_ServerPasswordSet2().
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Jeremy Allison <j...@samba.org>
[dbagn...@samba.org, abart...@samba.org: adapt for indentation
changes]
commit 9b174d71541ec60157c17938551d8c9b429e578f
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 19:20:25 2020 +0200
CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect
netr_ServerPasswordSet2 against unencrypted passwords
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit fd05519caa2e738da317432371f42e4967514773
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:17:29 2020 +0200
CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in
netlogon_creds_server_init()
This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation:
7. If none of the first 5 bytes of the client challenge is unique, the
server MUST fail session-key negotiation without further processing of
the following steps.
It lets ./zerologon_tester.py from
https://github.com/SecuraBV/CVE-2020-1472.git
report: "Attack failed. Target is probably patched."
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 13185dd83563cc7927a511f5d2a4a56cc2186743
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:15:26 2020 +0200
CVE-2020-1472(ZeroLogon): libcli/auth: add
netlogon_creds_is_random_challenge() to avoid weak values
This is the check Windows is using, so we won't generate challenges,
which are rejected by Windows DCs (and future Samba DCs).
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 35277995d3977c37509ef072e6b5cc785ceb7ee2
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:10:53 2020 +0200
CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of
netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit a71bc6c974db72fd3ef0a234fb9a0ef4fdc4d963
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:10:53 2020 +0200
CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of
netlogon_creds_random_challenge()
This is not strictly needed, but makes things more clear.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit f7b0e7a6dde36bd6721c7f8d926dfdd0d70ba68e
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:08:38 2020 +0200
CVE-2020-1472(ZeroLogon): libcli/auth: make use of
netlogon_creds_random_challenge() in netlogon_creds_cli.c
This will avoid getting rejected by the server if we generate
a weak challenge.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 691d854c141cfe177f4c18ed045e38725504aaf3
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:07:30 2020 +0200
CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of
netlogon_creds_random_challenge()
This will avoid getting flakey tests once our server starts to
reject weak challenges.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
commit 6941fa1ff8336af0f77728aaf8162b59aa704988
Author: Stefan Metzmacher <me...@samba.org>
Date: Wed Sep 16 16:04:57 2020 +0200
CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge()
It's good to have just a single isolated function that will generate
random challenges, in future we can add some logic in order to
avoid weak values, which are likely to be rejected by a server.
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497
Signed-off-by: Stefan Metzmacher <me...@samba.org>
-----------------------------------------------------------------------
Summary of changes:
VERSION | 2 +-
WHATSNEW.txt | 107 +++++-
docs-xml/smbdotconf/security/serverschannel.xml | 69 +++-
libcli/auth/credentials.c | 44 +++
libcli/auth/netlogon_creds_cli.c | 3 +-
libcli/auth/proto.h | 4 +
libcli/auth/wscript_build | 2 +-
source3/rpc_server/netlogon/srv_netlog_nt.c | 212 +++++++++++-
source4/rpc_server/netlogon/dcerpc_netlogon.c | 175 +++++++++-
source4/torture/rpc/lsa.c | 2 +-
source4/torture/rpc/netlogon.c | 433 ++++++++++++++++++++----
11 files changed, 943 insertions(+), 110 deletions(-)
Changeset truncated at 500 lines:
diff --git a/VERSION b/VERSION
index 78723f9b618..cd93dc7e95f 100644
--- a/VERSION
+++ b/VERSION
@@ -25,7 +25,7 @@
########################################################
SAMBA_VERSION_MAJOR=4
SAMBA_VERSION_MINOR=11
-SAMBA_VERSION_RELEASE=12
+SAMBA_VERSION_RELEASE=13
########################################################
# If a official release has a serious bug #
diff --git a/WHATSNEW.txt b/WHATSNEW.txt
index 80e5f32b1a0..76dc4cc0d5a 100644
--- a/WHATSNEW.txt
+++ b/WHATSNEW.txt
@@ -1,3 +1,106 @@
+ ===============================
+ Release Notes for Samba 4.11.13
+ September 18, 2020
+ ===============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon").
+
+The following applies to Samba used as domain controller only (most
+seriously the Active Directory DC, but also the classic/NT4-style DC).
+
+Installations running Samba as a file server only are not directly
+affected by this flaw, though they may need configuration changes to
+continue to talk to domain controllers (see "file servers and domain
+members" below).
+
+The netlogon protocol contains a flaw that allows an authentication
+bypass. This was reported and patched by Microsoft as CVE-2020-1472.
+Since the bug is a protocol level flaw, and Samba implements the
+protocol, Samba is also vulnerable.
+
+However, since version 4.8 (released in March 2018), the default
+behaviour of Samba has been to insist on a secure netlogon channel,
+which is a sufficient fix against the known exploits. This default is
+equivalent to having 'server schannel = yes' in the smb.conf.
+
+Therefore versions 4.8 and above are not vulnerable unless they have
+the smb.conf lines 'server schannel = no' or 'server schannel = auto'.
+
+Samba versions 4.7 and below are vulnerable unless they have 'server
+schannel = yes' in the smb.conf.
+
+Note each domain controller needs the correct settings in its smb.conf.
+
+Vendors supporting Samba 4.7 and below are advised to patch their
+installations and packages to add this line to the [global] section if
+their smb.conf file.
+
+The 'server schannel = yes' smb.conf line is equivalent to Microsoft's
+'FullSecureChannelProtection=1' registry key, the introduction of
+which we understand forms the core of Microsoft's fix.
+
+Some domains employ third-party software that will not work with a
+'server schannel = yes'. For these cases patches are available that
+allow specific machines to use insecure netlogon. For example, the
+following smb.conf:
+
+ server schannel = yes
+ server require schannel:triceratops$ = no
+ server require schannel:greywacke$ = no
+
+will allow only "triceratops$" and "greywacke$" to avoid schannel.
+
+More details can be found here:
+https://www.samba.org/samba/security/CVE-2020-1472.html
+
+
+Changes since 4.11.12
+---------------------
+
+o Jeremy Allison <j...@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect
+ netr_ServerPasswordSet2 against unencrypted passwords.
+
+o Günther Deschner <g...@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support
+ "server require schannel:WORKSTATION$ = no" about unsecure configurations.
+
+o Gary Lockyer <g...@catalyst.net.nz>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in
+ client challenge.
+
+o Stefan Metzmacher <me...@samba.org>
+ * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client
+ challenges in netlogon_creds_server_init()
+ "server require schannel:WORKSTATION$ = no".
+
+
+#######################################
+Reporting bugs & Development Discussion
+#######################################
+
+Please discuss this release on the samba-technical mailing list or by
+joining the #samba-technical IRC channel on irc.freenode.net.
+
+If you do report problems then please try to send high quality
+feedback. If you don't provide vital information to help us track down
+the problem then you will probably be ignored. All bug reports should
+be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
+database (https://bugzilla.samba.org/).
+
+
+======================================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+======================================================================
+
+
+Release notes for older releases follow:
+----------------------------------------
+
===============================
Release Notes for Samba 4.11.12
August 25, 2020
@@ -64,8 +167,8 @@ database (https://bugzilla.samba.org/).
======================================================================
-Release notes for older releases follow:
-----------------------------------------
+----------------------------------------------------------------------
+
===============================
Release Notes for Samba 4.11.11
diff --git a/docs-xml/smbdotconf/security/serverschannel.xml
b/docs-xml/smbdotconf/security/serverschannel.xml
index 489492d79b1..b682d086f76 100644
--- a/docs-xml/smbdotconf/security/serverschannel.xml
+++ b/docs-xml/smbdotconf/security/serverschannel.xml
@@ -7,26 +7,65 @@
<description>
<para>
- This option is deprecated with Samba 4.8 and will be removed in future.
- At the same time the default changed to yes, which will be the
- hardcoded behavior in future. If you have the need for the behavior of
"auto"
- to be kept, please file a bug at https://bugzilla.samba.org.
+ This option is deprecated and will be removed in future,
+ as it is a security problem if not set to "yes" (which will be
+ the hardcoded behavior in future).
</para>
<para>
- This controls whether the server offers or even demands the use of the
netlogon schannel.
- <smbconfoption name="server schannel">no</smbconfoption> does not offer
the schannel, <smbconfoption
- name="server schannel">auto</smbconfoption> offers the schannel but
does not enforce it, and <smbconfoption
- name="server schannel">yes</smbconfoption> denies access if the client
is not able to speak netlogon schannel.
- This is only the case for Windows NT4 before SP4.
- </para>
-
+ Samba will complain in the log files at log level 0,
+ about the security problem if the option is not set to "yes".
+ </para>
<para>
- Please note that with this set to <literal>no</literal>, you will have
to apply the WindowsXP
- <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the
docs/registry subdirectory of the Samba distribution tarball.
- </para>
+ See CVE-2020-1472(ZeroLogon)
https://bugzilla.samba.org/show_bug.cgi?id=14497
+ </para>
+
+ <para>If you still have legacy domain members use the <smbconfoption
name="server require schannel:COMPUTERACCOUNT"/> option.
+ </para>
+
+ <para>This option yields precedence to the <smbconfoption name="server
require schannel:COMPUTERACCOUNT"/> option.</para>
+
</description>
<value type="default">yes</value>
-<value type="example">auto</value>
+</samba:parameter>
+
+<samba:parameter name="server require schannel:COMPUTERACCOUNT"
+ context="G"
+ type="string"
+ xmlns:samba="http://www.samba.org/samba/DTD/samba-doc";>
+<description>
+
+ <para>If you still have legacy domain members, which required "server
schannel = auto" before,
+ it is possible to specify explicit expection per computer account
+ by using 'server require schannel:COMPUTERACCOUNT = no' as option.
+ Note that COMPUTERACCOUNT has to be the sAMAccountName value of
+ the computer account (including the trailing '$' sign).
+ </para>
+
+ <para>
+ Samba will complain in the log files at log level 0,
+ about the security problem if the option is not set to "no",
+ but the related computer is actually using the netlogon
+ secure channel (schannel) feature.
+ </para>
+
+ <para>
+ Samba will warn in the log files at log level 5,
+ if a setting is still needed for the specified computer account.
+ </para>
+
+ <para>
+ See CVE-2020-1472(ZeroLogon)
https://bugzilla.samba.org/show_bug.cgi?id=14497
+ </para>
+
+ <para>This option takes precedence to the <smbconfoption name="server
schannel"/> option.</para>
+
+ <programlisting>
+ server require schannel:LEGACYCOMPUTER1$ = no
+ server require schannel:NASBOX$ = no
+ server require schannel:LEGACYCOMPUTER2$ = no
+ </programlisting>
+</description>
+
</samba:parameter>
diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c
index 319dacdac0b..0ba1d95afd3 100644
--- a/libcli/auth/credentials.c
+++ b/libcli/auth/credentials.c
@@ -25,14 +25,43 @@
#include "../lib/crypto/crypto.h"
#include "libcli/auth/libcli_auth.h"
#include "../libcli/security/dom_sid.h"
+#include "lib/util/util_str_escape.h"
#include "lib/crypto/gnutls_helpers.h"
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
+bool netlogon_creds_is_random_challenge(const struct netr_Credential
*challenge)
+{
+ /*
+ * If none of the first 5 bytes of the client challenge is unique, the
+ * server MUST fail session-key negotiation without further processing
+ * of the following steps.
+ */
+
+ if (challenge->data[1] == challenge->data[0] &&
+ challenge->data[2] == challenge->data[0] &&
+ challenge->data[3] == challenge->data[0] &&
+ challenge->data[4] == challenge->data[0])
+ {
+ return false;
+ }
+
+ return true;
+}
+
+void netlogon_creds_random_challenge(struct netr_Credential *challenge)
+{
+ ZERO_STRUCTP(challenge);
+ while (!netlogon_creds_is_random_challenge(challenge)) {
+ generate_random_buffer(challenge->data,
sizeof(challenge->data));
+ }
+}
+
static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState
*creds,
const struct netr_Credential *in,
struct netr_Credential *out)
+
{
if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) {
AES_KEY key;
@@ -506,6 +535,7 @@ struct netlogon_creds_CredentialState
*netlogon_creds_server_init(TALLOC_CTX *me
{
struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx,
struct netlogon_creds_CredentialState);
+ bool ok;
if (!creds) {
return NULL;
@@ -518,6 +548,20 @@ struct netlogon_creds_CredentialState
*netlogon_creds_server_init(TALLOC_CTX *me
dump_data_pw("Server chall", server_challenge->data,
sizeof(server_challenge->data));
dump_data_pw("Machine Pass", machine_password->hash,
sizeof(machine_password->hash));
+ ok = netlogon_creds_is_random_challenge(client_challenge);
+ if (!ok) {
+ DBG_WARNING("CVE-2020-1472(ZeroLogon): "
+ "non-random client challenge rejected for "
+ "client_account[%s] client_computer_name[%s]\n",
+ log_escape(mem_ctx, client_account),
+ log_escape(mem_ctx, client_computer_name));
+ dump_data(DBGLVL_WARNING,
+ client_challenge->data,
+ sizeof(client_challenge->data));
+ talloc_free(creds);
+ return NULL;
+ }
+
creds->computer_name = talloc_strdup(creds, client_computer_name);
if (!creds->computer_name) {
talloc_free(creds);
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index 50a5f50a57d..0b31dc91b4b 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -1177,8 +1177,7 @@ static void
netlogon_creds_cli_auth_challenge_start(struct tevent_req *req)
TALLOC_FREE(state->creds);
- generate_random_buffer(state->client_challenge.data,
- sizeof(state->client_challenge.data));
+ netlogon_creds_random_challenge(&state->client_challenge);
subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev,
state->binding_handle,
diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h
index afd7f0d148d..51d5deaab2d 100644
--- a/libcli/auth/proto.h
+++ b/libcli/auth/proto.h
@@ -11,10 +11,14 @@
/* The following definitions come from
/home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c
*/
+bool netlogon_creds_is_random_challenge(const struct netr_Credential
*challenge);
+void netlogon_creds_random_challenge(struct netr_Credential *challenge);
+
void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key);
void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState
*creds, struct netr_LMSessionKey *key);
void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass);
void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds,
struct samr_Password *pass);
+
NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState
*creds,
uint8_t *data,
size_t len);
diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build
index 04e2b09eadf..6f7d9a76404 100644
--- a/libcli/auth/wscript_build
+++ b/libcli/auth/wscript_build
@@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK',
bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH',
source='credentials.c session.c smbencrypt.c smbdes.c',
- public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS',
+ public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape',
public_headers='credentials.h:domain_credentials.h'
)
diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c
b/source3/rpc_server/netlogon/srv_netlog_nt.c
index c9aaa90cbb9..3221ebaa2e2 100644
--- a/source3/rpc_server/netlogon/srv_netlog_nt.c
+++ b/source3/rpc_server/netlogon/srv_netlog_nt.c
@@ -47,6 +47,7 @@
#include "../lib/tsocket/tsocket.h"
#include "lib/param/param.h"
#include "libsmb/dsgetdcname.h"
+#include "lib/util/util_str_escape.h"
extern userdom_struct current_user_info;
@@ -839,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p,
pipe_state->client_challenge = *r->in.credentials;
- generate_random_buffer(pipe_state->server_challenge.data,
- sizeof(pipe_state->server_challenge.data));
+ netlogon_creds_random_challenge(&pipe_state->server_challenge);
*r->out.return_credentials = pipe_state->server_challenge;
@@ -1072,20 +1072,25 @@ static NTSTATUS netr_creds_server_step_check(struct
pipes_struct *p,
{
NTSTATUS status;
bool schannel_global_required = (lp_server_schannel() == true) ?
true:false;
+ bool schannel_required = schannel_global_required;
+ const char *explicit_opt = NULL;
struct loadparm_context *lp_ctx;
+ struct netlogon_creds_CredentialState *creds = NULL;
+ enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE;
+ uint16_t opnum = p->opnum;
+ const char *opname = "<unknown>";
+ static bool warned_global_once = false;
if (creds_out != NULL) {
*creds_out = NULL;
}
- if (schannel_global_required) {
- if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) {
- DBG_ERR("[%s] is not using schannel\n",
- computer_name);
- return NT_STATUS_ACCESS_DENIED;
- }
+ if (opnum < ndr_table_netlogon.num_calls) {
+ opname = ndr_table_netlogon.calls[opnum].name;
}
+ auth_type = p->auth.auth_type;
+
lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers());
if (lp_ctx == NULL) {
DEBUG(0, ("loadparm_init_s3 failed\n"));
@@ -1094,9 +1099,97 @@ static NTSTATUS netr_creds_server_step_check(struct
pipes_struct *p,
status = schannel_check_creds_state(mem_ctx, lp_ctx,
computer_name,
received_authenticator,
- return_authenticator, creds_out);
+ return_authenticator, &creds);
talloc_unlink(mem_ctx, lp_ctx);
- return status;
+
+ if (!NT_STATUS_IS_OK(status)) {
+ ZERO_STRUCTP(return_authenticator);
+ return status;
+ }
+
+ /*
+ * We don't use lp_parm_bool(), as we
+ * need the explicit_opt pointer in order to
+ * adjust the debug messages.
+ */
+
+ explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM,
+ "server require schannel",
+ creds->account_name,
+ NULL);
+ if (explicit_opt != NULL) {
+ schannel_required = lp_bool(explicit_opt);
+ }
+
+ if (schannel_required) {
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ *creds_out = creds;
+ return NT_STATUS_OK;
+ }
+
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) without schannel from "
+ "client_account[%s] client_computer_name[%s]\n",
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+ "'server require schannel:%s = no' is needed! \n",
+ log_escape(mem_ctx, creds->account_name));
+ TALLOC_FREE(creds);
+ ZERO_STRUCTP(return_authenticator);
+ return NT_STATUS_ACCESS_DENIED;
+ }
+
+ if (!schannel_global_required && !warned_global_once) {
+ /*
+ * We want admins to notice their misconfiguration!
+ */
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "Please configure 'server schannel = yes', "
+ "See
https://bugzilla.samba.org/show_bug.cgi?id=14497\n";);
+ warned_global_once = true;
+ }
+
+ if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) {
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) WITH schannel from "
+ "client_account[%s] client_computer_name[%s]\n",
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' not
needed!?\n",
+ log_escape(mem_ctx, creds->account_name));
+
+ *creds_out = creds;
+ return NT_STATUS_OK;
+ }
+
+ if (explicit_opt != NULL) {
+ DBG_INFO("CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) without schannel from "
+ "client_account[%s] client_computer_name[%s]\n",
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
+ DBG_INFO("CVE-2020-1472(ZeroLogon): "
+ "Option 'server require schannel:%s = no' still
needed!\n",
+ log_escape(mem_ctx, creds->account_name));
+ } else {
+ DBG_ERR("CVE-2020-1472(ZeroLogon): "
+ "%s request (opnum[%u]) without schannel from "
+ "client_account[%s] client_computer_name[%s]\n",
+ opname, opnum,
+ log_escape(mem_ctx, creds->account_name),
+ log_escape(mem_ctx, creds->computer_name));
+ DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option "
+ "'server require schannel:%s = no' might be needed!\n",
+ log_escape(mem_ctx, creds->account_name));
+ }
+
+ *creds_out = creds;
+ return NT_STATUS_OK;
}
@@ -1326,9 +1419,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p,
{
NTSTATUS status;
--
Samba Shared Repository
