The branch, v4-11-stable has been updated via ef64fc24b31 VERSION: Disable GIT_SNAPSHOT for the 4.11.13 release. via e7dd032e320 WHATSNEW: Add release notes for Samba 4.11.13. via db344db0efb CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge via 337e4da4daa CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd via 572a41b24e7 CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' via 86c54d3a270 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations via 615cc75074b CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" via 5ee9480a898 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() via c836fc24b9c CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations via 92d7e9f7f92 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" via f867164dc57 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() via 0da2f3e2455 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords via d5926ad40ff CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2(). via 9b174d71541 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords via fd05519caa2 CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() via 13185dd8356 CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values via 35277995d39 CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() via a71bc6c974d CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of netlogon_creds_random_challenge() via f7b0e7a6dde CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c via 691d854c141 CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() via 6941fa1ff83 CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() via 7cfb6f6db61 VERSION: Bump version up to 4.11.13... from 1bd81cac381 VERSION: Disable GIT_SNAPSHOT for the 4.11.12 release.
https://git.samba.org/?p=samba.git;a=shortlog;h=v4-11-stable - Log ----------------------------------------------------------------- commit ef64fc24b31f057bd344e7135d32732c8b3057e2 Author: Karolin Seeger <ksee...@samba.org> Date: Fri Sep 18 12:58:56 2020 +0200 VERSION: Disable GIT_SNAPSHOT for the 4.11.13 release. Signed-off-by: Karolin Seeger <ksee...@samba.org> commit e7dd032e320ae47d48b1062b7baa09dfe19a5967 Author: Karolin Seeger <ksee...@samba.org> Date: Fri Sep 18 12:56:10 2020 +0200 WHATSNEW: Add release notes for Samba 4.11.13. CVE-2020-1472: Samba impact of "ZeroLogon". Signed-off-by: Karolin Seeger <ksee...@samba.org> commit db344db0efb0eff16211e6bb7dbf02501278c890 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Fri Sep 18 15:57:34 2020 +1200 CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in client challenge Ensure that client challenges with the first 5 bytes identical are rejected. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> [abart...@samba.org: backported from master as test order was flipped] commit 337e4da4daa564f90bfcde1bd8a30cb269fd54a9 Author: Gary Lockyer <g...@catalyst.net.nz> Date: Fri Sep 18 12:39:54 2020 +1200 CVE-2020-1472(ZeroLogon): s4 torture rpc: Test empty machine acct pwd Ensure that an empty machine account password can't be set by netr_ServerPasswordSet2 BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Gary Lockyer <g...@catalyst.net.nz> commit 572a41b24e7cb1b7d52f4021e0fef257cc0563eb Author: Stefan Metzmacher <me...@samba.org> Date: Thu Sep 17 17:27:54 2020 +0200 CVE-2020-1472(ZeroLogon): docs-xml: document 'server require schannel:COMPUTERACCOUNT' BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 86c54d3a270ab984bfc7c7c0cc334210ed7956ce Author: Günther Deschner <g...@samba.org> Date: Thu Sep 17 14:42:52 2020 +0200 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: log warnings about unsecure configurations BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Günther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 615cc75074b0f51734da261dc9b57ad209780e13 Author: Günther Deschner <g...@samba.org> Date: Thu Sep 17 14:23:16 2020 +0200 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Günther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 5ee9480a89860d6906710fac39067e7d9db14feb Author: Günther Deschner <g...@samba.org> Date: Thu Sep 17 14:57:22 2020 +0200 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Günther Deschner <g...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit c836fc24b9c11752581ac9d314ecdde80588aba2 Author: Stefan Metzmacher <me...@samba.org> Date: Thu Sep 17 13:37:26 2020 +0200 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: log warnings about unsecure configurations This should give admins wawrnings until they have a secure configuration. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> Reviewed-by: Ralph Boehme <s...@samba.org> Reviewed-by: Günther Deschner <g...@samba.org> commit 92d7e9f7f92f1ff225cd52fb24242a0f5d8f1d3d Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 10:56:53 2020 +0200 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: support "server require schannel:WORKSTATION$ = no" This allows to add expections for individual workstations, when using "server schannel = yes". "server schannel = auto" is very insecure and will be removed soon. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit f867164dc57b85c3c69b08be51c64aa430a23b2e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 10:18:45 2020 +0200 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: refactor dcesrv_netr_creds_server_step_check() We should debug more details about the failing request. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 0da2f3e2455999cc30761a40715a1f1a88e1b725 Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 16 12:53:50 2020 -0700 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Pair-Programmed-With: Stefan Metzmacher <me...@samba.org> Signed-off-by: Jeremy Allison <j...@samba.org> Signed-off-by: Stefan Metzmacher <me...@samba.org> commit d5926ad40ffc31a9b0f6e2cb66d47aa58e1e5e4e Author: Jeremy Allison <j...@samba.org> Date: Wed Sep 16 12:48:21 2020 -0700 CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Fix mem leak onto p->mem_ctx in error path of _netr_ServerPasswordSet2(). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Jeremy Allison <j...@samba.org> [dbagn...@samba.org, abart...@samba.org: adapt for indentation changes] commit 9b174d71541ec60157c17938551d8c9b429e578f Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 19:20:25 2020 +0200 CVE-2020-1472(ZeroLogon): s4:rpc_server/netlogon: protect netr_ServerPasswordSet2 against unencrypted passwords BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit fd05519caa2e738da317432371f42e4967514773 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:17:29 2020 +0200 CVE-2020-1472(ZeroLogon): libcli/auth: reject weak client challenges in netlogon_creds_server_init() This implements the note from MS-NRPC 3.1.4.1 Session-Key Negotiation: 7. If none of the first 5 bytes of the client challenge is unique, the server MUST fail session-key negotiation without further processing of the following steps. It lets ./zerologon_tester.py from https://github.com/SecuraBV/CVE-2020-1472.git report: "Attack failed. Target is probably patched." BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 13185dd83563cc7927a511f5d2a4a56cc2186743 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:15:26 2020 +0200 CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_is_random_challenge() to avoid weak values This is the check Windows is using, so we won't generate challenges, which are rejected by Windows DCs (and future Samba DCs). BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 35277995d3977c37509ef072e6b5cc785ceb7ee2 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:10:53 2020 +0200 CVE-2020-1472(ZeroLogon): s4:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit a71bc6c974db72fd3ef0a234fb9a0ef4fdc4d963 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:10:53 2020 +0200 CVE-2020-1472(ZeroLogon): s3:rpc_server:netlogon: make use of netlogon_creds_random_challenge() This is not strictly needed, but makes things more clear. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit f7b0e7a6dde36bd6721c7f8d926dfdd0d70ba68e Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:08:38 2020 +0200 CVE-2020-1472(ZeroLogon): libcli/auth: make use of netlogon_creds_random_challenge() in netlogon_creds_cli.c This will avoid getting rejected by the server if we generate a weak challenge. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 691d854c141cfe177f4c18ed045e38725504aaf3 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:07:30 2020 +0200 CVE-2020-1472(ZeroLogon): s4:torture/rpc: make use of netlogon_creds_random_challenge() This will avoid getting flakey tests once our server starts to reject weak challenges. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> commit 6941fa1ff8336af0f77728aaf8162b59aa704988 Author: Stefan Metzmacher <me...@samba.org> Date: Wed Sep 16 16:04:57 2020 +0200 CVE-2020-1472(ZeroLogon): libcli/auth: add netlogon_creds_random_challenge() It's good to have just a single isolated function that will generate random challenges, in future we can add some logic in order to avoid weak values, which are likely to be rejected by a server. BUG: https://bugzilla.samba.org/show_bug.cgi?id=14497 Signed-off-by: Stefan Metzmacher <me...@samba.org> ----------------------------------------------------------------------- Summary of changes: VERSION | 2 +- WHATSNEW.txt | 107 +++++- docs-xml/smbdotconf/security/serverschannel.xml | 69 +++- libcli/auth/credentials.c | 44 +++ libcli/auth/netlogon_creds_cli.c | 3 +- libcli/auth/proto.h | 4 + libcli/auth/wscript_build | 2 +- source3/rpc_server/netlogon/srv_netlog_nt.c | 212 +++++++++++- source4/rpc_server/netlogon/dcerpc_netlogon.c | 175 +++++++++- source4/torture/rpc/lsa.c | 2 +- source4/torture/rpc/netlogon.c | 433 ++++++++++++++++++++---- 11 files changed, 943 insertions(+), 110 deletions(-) Changeset truncated at 500 lines: diff --git a/VERSION b/VERSION index 78723f9b618..cd93dc7e95f 100644 --- a/VERSION +++ b/VERSION @@ -25,7 +25,7 @@ ######################################################## SAMBA_VERSION_MAJOR=4 SAMBA_VERSION_MINOR=11 -SAMBA_VERSION_RELEASE=12 +SAMBA_VERSION_RELEASE=13 ######################################################## # If a official release has a serious bug # diff --git a/WHATSNEW.txt b/WHATSNEW.txt index 80e5f32b1a0..76dc4cc0d5a 100644 --- a/WHATSNEW.txt +++ b/WHATSNEW.txt @@ -1,3 +1,106 @@ + =============================== + Release Notes for Samba 4.11.13 + September 18, 2020 + =============================== + + +This is a security release in order to address the following defect: + +o CVE-2020-1472: Unauthenticated domain takeover via netlogon ("ZeroLogon"). + +The following applies to Samba used as domain controller only (most +seriously the Active Directory DC, but also the classic/NT4-style DC). + +Installations running Samba as a file server only are not directly +affected by this flaw, though they may need configuration changes to +continue to talk to domain controllers (see "file servers and domain +members" below). + +The netlogon protocol contains a flaw that allows an authentication +bypass. This was reported and patched by Microsoft as CVE-2020-1472. +Since the bug is a protocol level flaw, and Samba implements the +protocol, Samba is also vulnerable. + +However, since version 4.8 (released in March 2018), the default +behaviour of Samba has been to insist on a secure netlogon channel, +which is a sufficient fix against the known exploits. This default is +equivalent to having 'server schannel = yes' in the smb.conf. + +Therefore versions 4.8 and above are not vulnerable unless they have +the smb.conf lines 'server schannel = no' or 'server schannel = auto'. + +Samba versions 4.7 and below are vulnerable unless they have 'server +schannel = yes' in the smb.conf. + +Note each domain controller needs the correct settings in its smb.conf. + +Vendors supporting Samba 4.7 and below are advised to patch their +installations and packages to add this line to the [global] section if +their smb.conf file. + +The 'server schannel = yes' smb.conf line is equivalent to Microsoft's +'FullSecureChannelProtection=1' registry key, the introduction of +which we understand forms the core of Microsoft's fix. + +Some domains employ third-party software that will not work with a +'server schannel = yes'. For these cases patches are available that +allow specific machines to use insecure netlogon. For example, the +following smb.conf: + + server schannel = yes + server require schannel:triceratops$ = no + server require schannel:greywacke$ = no + +will allow only "triceratops$" and "greywacke$" to avoid schannel. + +More details can be found here: +https://www.samba.org/samba/security/CVE-2020-1472.html + + +Changes since 4.11.12 +--------------------- + +o Jeremy Allison <j...@samba.org> + * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Protect + netr_ServerPasswordSet2 against unencrypted passwords. + +o Günther Deschner <g...@samba.org> + * BUG 14497: CVE-2020-1472(ZeroLogon): s3:rpc_server/netlogon: Support + "server require schannel:WORKSTATION$ = no" about unsecure configurations. + +o Gary Lockyer <g...@catalyst.net.nz> + * BUG 14497: CVE-2020-1472(ZeroLogon): s4 torture rpc: repeated bytes in + client challenge. + +o Stefan Metzmacher <me...@samba.org> + * BUG 14497: CVE-2020-1472(ZeroLogon): libcli/auth: Reject weak client + challenges in netlogon_creds_server_init() + "server require schannel:WORKSTATION$ = no". + + +####################################### +Reporting bugs & Development Discussion +####################################### + +Please discuss this release on the samba-technical mailing list or by +joining the #samba-technical IRC channel on irc.freenode.net. + +If you do report problems then please try to send high quality +feedback. If you don't provide vital information to help us track down +the problem then you will probably be ignored. All bug reports should +be filed under the "Samba 4.1 and newer" product in the project's Bugzilla +database (https://bugzilla.samba.org/). + + +====================================================================== +== Our Code, Our Bugs, Our Responsibility. +== The Samba Team +====================================================================== + + +Release notes for older releases follow: +---------------------------------------- + =============================== Release Notes for Samba 4.11.12 August 25, 2020 @@ -64,8 +167,8 @@ database (https://bugzilla.samba.org/). ====================================================================== -Release notes for older releases follow: ----------------------------------------- +---------------------------------------------------------------------- + =============================== Release Notes for Samba 4.11.11 diff --git a/docs-xml/smbdotconf/security/serverschannel.xml b/docs-xml/smbdotconf/security/serverschannel.xml index 489492d79b1..b682d086f76 100644 --- a/docs-xml/smbdotconf/security/serverschannel.xml +++ b/docs-xml/smbdotconf/security/serverschannel.xml @@ -7,26 +7,65 @@ <description> <para> - This option is deprecated with Samba 4.8 and will be removed in future. - At the same time the default changed to yes, which will be the - hardcoded behavior in future. If you have the need for the behavior of "auto" - to be kept, please file a bug at https://bugzilla.samba.org. + This option is deprecated and will be removed in future, + as it is a security problem if not set to "yes" (which will be + the hardcoded behavior in future). </para> <para> - This controls whether the server offers or even demands the use of the netlogon schannel. - <smbconfoption name="server schannel">no</smbconfoption> does not offer the schannel, <smbconfoption - name="server schannel">auto</smbconfoption> offers the schannel but does not enforce it, and <smbconfoption - name="server schannel">yes</smbconfoption> denies access if the client is not able to speak netlogon schannel. - This is only the case for Windows NT4 before SP4. - </para> - + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "yes". + </para> <para> - Please note that with this set to <literal>no</literal>, you will have to apply the WindowsXP - <filename>WinXP_SignOrSeal.reg</filename> registry patch found in the docs/registry subdirectory of the Samba distribution tarball. - </para> + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + </para> + + <para>If you still have legacy domain members use the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option. + </para> + + <para>This option yields precedence to the <smbconfoption name="server require schannel:COMPUTERACCOUNT"/> option.</para> + </description> <value type="default">yes</value> -<value type="example">auto</value> +</samba:parameter> + +<samba:parameter name="server require schannel:COMPUTERACCOUNT" + context="G" + type="string" + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> +<description> + + <para>If you still have legacy domain members, which required "server schannel = auto" before, + it is possible to specify explicit expection per computer account + by using 'server require schannel:COMPUTERACCOUNT = no' as option. + Note that COMPUTERACCOUNT has to be the sAMAccountName value of + the computer account (including the trailing '$' sign). + </para> + + <para> + Samba will complain in the log files at log level 0, + about the security problem if the option is not set to "no", + but the related computer is actually using the netlogon + secure channel (schannel) feature. + </para> + + <para> + Samba will warn in the log files at log level 5, + if a setting is still needed for the specified computer account. + </para> + + <para> + See CVE-2020-1472(ZeroLogon) https://bugzilla.samba.org/show_bug.cgi?id=14497 + </para> + + <para>This option takes precedence to the <smbconfoption name="server schannel"/> option.</para> + + <programlisting> + server require schannel:LEGACYCOMPUTER1$ = no + server require schannel:NASBOX$ = no + server require schannel:LEGACYCOMPUTER2$ = no + </programlisting> +</description> + </samba:parameter> diff --git a/libcli/auth/credentials.c b/libcli/auth/credentials.c index 319dacdac0b..0ba1d95afd3 100644 --- a/libcli/auth/credentials.c +++ b/libcli/auth/credentials.c @@ -25,14 +25,43 @@ #include "../lib/crypto/crypto.h" #include "libcli/auth/libcli_auth.h" #include "../libcli/security/dom_sid.h" +#include "lib/util/util_str_escape.h" #include "lib/crypto/gnutls_helpers.h" #include <gnutls/gnutls.h> #include <gnutls/crypto.h> +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge) +{ + /* + * If none of the first 5 bytes of the client challenge is unique, the + * server MUST fail session-key negotiation without further processing + * of the following steps. + */ + + if (challenge->data[1] == challenge->data[0] && + challenge->data[2] == challenge->data[0] && + challenge->data[3] == challenge->data[0] && + challenge->data[4] == challenge->data[0]) + { + return false; + } + + return true; +} + +void netlogon_creds_random_challenge(struct netr_Credential *challenge) +{ + ZERO_STRUCTP(challenge); + while (!netlogon_creds_is_random_challenge(challenge)) { + generate_random_buffer(challenge->data, sizeof(challenge->data)); + } +} + static void netlogon_creds_step_crypt(struct netlogon_creds_CredentialState *creds, const struct netr_Credential *in, struct netr_Credential *out) + { if (creds->negotiate_flags & NETLOGON_NEG_SUPPORTS_AES) { AES_KEY key; @@ -506,6 +535,7 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me { struct netlogon_creds_CredentialState *creds = talloc_zero(mem_ctx, struct netlogon_creds_CredentialState); + bool ok; if (!creds) { return NULL; @@ -518,6 +548,20 @@ struct netlogon_creds_CredentialState *netlogon_creds_server_init(TALLOC_CTX *me dump_data_pw("Server chall", server_challenge->data, sizeof(server_challenge->data)); dump_data_pw("Machine Pass", machine_password->hash, sizeof(machine_password->hash)); + ok = netlogon_creds_is_random_challenge(client_challenge); + if (!ok) { + DBG_WARNING("CVE-2020-1472(ZeroLogon): " + "non-random client challenge rejected for " + "client_account[%s] client_computer_name[%s]\n", + log_escape(mem_ctx, client_account), + log_escape(mem_ctx, client_computer_name)); + dump_data(DBGLVL_WARNING, + client_challenge->data, + sizeof(client_challenge->data)); + talloc_free(creds); + return NULL; + } + creds->computer_name = talloc_strdup(creds, client_computer_name); if (!creds->computer_name) { talloc_free(creds); diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 50a5f50a57d..0b31dc91b4b 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -1177,8 +1177,7 @@ static void netlogon_creds_cli_auth_challenge_start(struct tevent_req *req) TALLOC_FREE(state->creds); - generate_random_buffer(state->client_challenge.data, - sizeof(state->client_challenge.data)); + netlogon_creds_random_challenge(&state->client_challenge); subreq = dcerpc_netr_ServerReqChallenge_send(state, state->ev, state->binding_handle, diff --git a/libcli/auth/proto.h b/libcli/auth/proto.h index afd7f0d148d..51d5deaab2d 100644 --- a/libcli/auth/proto.h +++ b/libcli/auth/proto.h @@ -11,10 +11,14 @@ /* The following definitions come from /home/jeremy/src/samba/git/master/source3/../source4/../libcli/auth/credentials.c */ +bool netlogon_creds_is_random_challenge(const struct netr_Credential *challenge); +void netlogon_creds_random_challenge(struct netr_Credential *challenge); + void netlogon_creds_des_encrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_decrypt_LMKey(struct netlogon_creds_CredentialState *creds, struct netr_LMSessionKey *key); void netlogon_creds_des_encrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); void netlogon_creds_des_decrypt(struct netlogon_creds_CredentialState *creds, struct samr_Password *pass); + NTSTATUS netlogon_creds_arcfour_crypt(struct netlogon_creds_CredentialState *creds, uint8_t *data, size_t len); diff --git a/libcli/auth/wscript_build b/libcli/auth/wscript_build index 04e2b09eadf..6f7d9a76404 100644 --- a/libcli/auth/wscript_build +++ b/libcli/auth/wscript_build @@ -18,7 +18,7 @@ bld.SAMBA_SUBSYSTEM('NTLM_CHECK', bld.SAMBA_SUBSYSTEM('LIBCLI_AUTH', source='credentials.c session.c smbencrypt.c smbdes.c', - public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS', + public_deps='MSRPC_PARSE gnutls GNUTLS_HELPERS util_str_escape', public_headers='credentials.h:domain_credentials.h' ) diff --git a/source3/rpc_server/netlogon/srv_netlog_nt.c b/source3/rpc_server/netlogon/srv_netlog_nt.c index c9aaa90cbb9..3221ebaa2e2 100644 --- a/source3/rpc_server/netlogon/srv_netlog_nt.c +++ b/source3/rpc_server/netlogon/srv_netlog_nt.c @@ -47,6 +47,7 @@ #include "../lib/tsocket/tsocket.h" #include "lib/param/param.h" #include "libsmb/dsgetdcname.h" +#include "lib/util/util_str_escape.h" extern userdom_struct current_user_info; @@ -839,8 +840,7 @@ NTSTATUS _netr_ServerReqChallenge(struct pipes_struct *p, pipe_state->client_challenge = *r->in.credentials; - generate_random_buffer(pipe_state->server_challenge.data, - sizeof(pipe_state->server_challenge.data)); + netlogon_creds_random_challenge(&pipe_state->server_challenge); *r->out.return_credentials = pipe_state->server_challenge; @@ -1072,20 +1072,25 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, { NTSTATUS status; bool schannel_global_required = (lp_server_schannel() == true) ? true:false; + bool schannel_required = schannel_global_required; + const char *explicit_opt = NULL; struct loadparm_context *lp_ctx; + struct netlogon_creds_CredentialState *creds = NULL; + enum dcerpc_AuthType auth_type = DCERPC_AUTH_TYPE_NONE; + uint16_t opnum = p->opnum; + const char *opname = "<unknown>"; + static bool warned_global_once = false; if (creds_out != NULL) { *creds_out = NULL; } - if (schannel_global_required) { - if (p->auth.auth_type != DCERPC_AUTH_TYPE_SCHANNEL) { - DBG_ERR("[%s] is not using schannel\n", - computer_name); - return NT_STATUS_ACCESS_DENIED; - } + if (opnum < ndr_table_netlogon.num_calls) { + opname = ndr_table_netlogon.calls[opnum].name; } + auth_type = p->auth.auth_type; + lp_ctx = loadparm_init_s3(mem_ctx, loadparm_s3_helpers()); if (lp_ctx == NULL) { DEBUG(0, ("loadparm_init_s3 failed\n")); @@ -1094,9 +1099,97 @@ static NTSTATUS netr_creds_server_step_check(struct pipes_struct *p, status = schannel_check_creds_state(mem_ctx, lp_ctx, computer_name, received_authenticator, - return_authenticator, creds_out); + return_authenticator, &creds); talloc_unlink(mem_ctx, lp_ctx); - return status; + + if (!NT_STATUS_IS_OK(status)) { + ZERO_STRUCTP(return_authenticator); + return status; + } + + /* + * We don't use lp_parm_bool(), as we + * need the explicit_opt pointer in order to + * adjust the debug messages. + */ + + explicit_opt = lp_parm_const_string(GLOBAL_SECTION_SNUM, + "server require schannel", + creds->account_name, + NULL); + if (explicit_opt != NULL) { + schannel_required = lp_bool(explicit_opt); + } + + if (schannel_required) { + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + *creds_out = creds; + return NT_STATUS_OK; + } + + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, + log_escape(mem_ctx, creds->account_name), + log_escape(mem_ctx, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' is needed! \n", + log_escape(mem_ctx, creds->account_name)); + TALLOC_FREE(creds); + ZERO_STRUCTP(return_authenticator); + return NT_STATUS_ACCESS_DENIED; + } + + if (!schannel_global_required && !warned_global_once) { + /* + * We want admins to notice their misconfiguration! + */ + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Please configure 'server schannel = yes', " + "See https://bugzilla.samba.org/show_bug.cgi?id=14497\n"); + warned_global_once = true; + } + + if (auth_type == DCERPC_AUTH_TYPE_SCHANNEL) { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) WITH schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, + log_escape(mem_ctx, creds->account_name), + log_escape(mem_ctx, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' not needed!?\n", + log_escape(mem_ctx, creds->account_name)); + + *creds_out = creds; + return NT_STATUS_OK; + } + + if (explicit_opt != NULL) { + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, + log_escape(mem_ctx, creds->account_name), + log_escape(mem_ctx, creds->computer_name)); + DBG_INFO("CVE-2020-1472(ZeroLogon): " + "Option 'server require schannel:%s = no' still needed!\n", + log_escape(mem_ctx, creds->account_name)); + } else { + DBG_ERR("CVE-2020-1472(ZeroLogon): " + "%s request (opnum[%u]) without schannel from " + "client_account[%s] client_computer_name[%s]\n", + opname, opnum, + log_escape(mem_ctx, creds->account_name), + log_escape(mem_ctx, creds->computer_name)); + DBG_ERR("CVE-2020-1472(ZeroLogon): Check if option " + "'server require schannel:%s = no' might be needed!\n", + log_escape(mem_ctx, creds->account_name)); + } + + *creds_out = creds; + return NT_STATUS_OK; } @@ -1326,9 +1419,14 @@ NTSTATUS _netr_ServerPasswordSet2(struct pipes_struct *p, { NTSTATUS status; -- Samba Shared Repository