]>
Commit | Line | Data |
---|---|---|
77ecb239 AF |
1 | From 513bd34e4523e49e742487be32a7239111486a12 Mon Sep 17 00:00:00 2001 |
2 | From: Stefan Metzmacher <metze@samba.org> | |
3 | Date: Sat, 27 Feb 2016 03:43:58 +0100 | |
4 | Subject: [PATCH 1/4] CVE-2016-2115: docs-xml: add "client ipc signing" option | |
5 | ||
6 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 | |
7 | ||
8 | Signed-off-by: Stefan Metzmacher <metze@samba.org> | |
9 | Reviewed-by: Ralph Boehme <slow@samba.org> | |
10 | --- | |
11 | docs-xml/smbdotconf/security/clientipcsigning.xml | 23 +++++++++++++++++++++++ | |
12 | docs-xml/smbdotconf/security/clientsigning.xml | 3 +++ | |
13 | source3/include/proto.h | 1 + | |
14 | source3/param/loadparm.c | 12 ++++++++++++ | |
15 | 4 files changed, 39 insertions(+) | |
16 | create mode 100644 docs-xml/smbdotconf/security/clientipcsigning.xml | |
17 | ||
18 | diff --git a/docs-xml/smbdotconf/security/clientipcsigning.xml b/docs-xml/smbdotconf/security/clientipcsigning.xml | |
19 | new file mode 100644 | |
20 | index 0000000..1897fc6 | |
21 | --- /dev/null | |
22 | +++ b/docs-xml/smbdotconf/security/clientipcsigning.xml | |
23 | @@ -0,0 +1,23 @@ | |
24 | +<samba:parameter name="client ipc signing" | |
25 | + context="G" | |
26 | + type="enum" | |
27 | + enumlist="enum_smb_signing_vals" | |
28 | + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | |
29 | +<description> | |
30 | + <para>This controls whether the client is allowed or required to use SMB signing for IPC$ | |
31 | + connections as DCERPC transport inside of winbind. Possible values | |
32 | + are <emphasis>auto</emphasis>, <emphasis>mandatory</emphasis> | |
33 | + and <emphasis>disabled</emphasis>. | |
34 | + </para> | |
35 | + | |
36 | + <para>When set to auto, SMB signing is offered, but not enforced and if set | |
37 | + to disabled, SMB signing is not offered either.</para> | |
38 | + | |
39 | + <para>Connections from winbindd to Active Directory Domain Controllers | |
40 | + always enforce signing.</para> | |
41 | +</description> | |
42 | + | |
43 | +<related>client signing</related> | |
44 | + | |
45 | +<value type="default">mandatory</value> | |
46 | +</samba:parameter> | |
47 | diff --git a/docs-xml/smbdotconf/security/clientsigning.xml b/docs-xml/smbdotconf/security/clientsigning.xml | |
48 | index c657e05..189a7ae 100644 | |
49 | --- a/docs-xml/smbdotconf/security/clientsigning.xml | |
50 | +++ b/docs-xml/smbdotconf/security/clientsigning.xml | |
51 | @@ -12,6 +12,9 @@ | |
52 | <para>When set to auto, SMB signing is offered, but not enforced. | |
53 | When set to mandatory, SMB signing is required and if set | |
54 | to disabled, SMB signing is not offered either. | |
55 | + | |
56 | + <para>IPC$ connections for DCERPC e.g. in winbindd, are handled by the | |
57 | + <smbconfoption name="client ipc signing"/> option.</para> | |
58 | </para> | |
59 | </description> | |
60 | ||
61 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
62 | index 43008ea..af950aa 100644 | |
63 | --- a/source3/include/proto.h | |
64 | +++ b/source3/include/proto.h | |
65 | @@ -1693,6 +1693,7 @@ const char **lp_winbind_nss_info(void); | |
66 | int lp_algorithmic_rid_base(void); | |
67 | int lp_name_cache_timeout(void); | |
68 | int lp_client_signing(void); | |
69 | +int lp_client_ipc_signing(void); | |
70 | int lp_server_signing(void); | |
71 | int lp_client_ldap_sasl_wrapping(void); | |
72 | char *lp_parm_talloc_string(int snum, const char *type, const char *option, const char *def); | |
73 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
74 | index c5249b7..a612e5a3 100644 | |
75 | --- a/source3/param/loadparm.c | |
76 | +++ b/source3/param/loadparm.c | |
77 | @@ -366,6 +366,7 @@ struct global { | |
78 | int restrict_anonymous; | |
79 | int name_cache_timeout; | |
80 | int client_signing; | |
81 | + int client_ipc_signing; | |
82 | int server_signing; | |
83 | int client_ldap_sasl_wrapping; | |
84 | int iUsershareMaxShares; | |
85 | @@ -2319,6 +2320,15 @@ static struct parm_struct parm_table[] = { | |
86 | .flags = FLAG_ADVANCED, | |
87 | }, | |
88 | { | |
89 | + .label = "client ipc signing", | |
90 | + .type = P_ENUM, | |
91 | + .p_class = P_GLOBAL, | |
92 | + .ptr = &Globals.client_ipc_signing, | |
93 | + .special = NULL, | |
94 | + .enum_list = enum_smb_signing_vals, | |
95 | + .flags = FLAG_ADVANCED, | |
96 | + }, | |
97 | + { | |
98 | .label = "server signing", | |
99 | .type = P_ENUM, | |
100 | .p_class = P_GLOBAL, | |
101 | @@ -5470,6 +5480,7 @@ static void init_globals(bool reinit_globals) | |
102 | Globals.bClientUseSpnego = True; | |
103 | ||
104 | Globals.client_signing = Auto; | |
105 | + Globals.client_ipc_signing = Required; | |
106 | Globals.server_signing = False; | |
107 | ||
108 | Globals.bDeferSharingViolations = True; | |
109 | @@ -6071,6 +6082,7 @@ FN_GLOBAL_LIST(lp_winbind_nss_info, &Globals.szWinbindNssInfo) | |
110 | FN_GLOBAL_INTEGER(lp_algorithmic_rid_base, &Globals.AlgorithmicRidBase) | |
111 | FN_GLOBAL_INTEGER(lp_name_cache_timeout, &Globals.name_cache_timeout) | |
112 | FN_GLOBAL_INTEGER(lp_client_signing, &Globals.client_signing) | |
113 | +FN_GLOBAL_INTEGER(lp_client_ipc_signing, &Globals.client_ipc_signing) | |
114 | FN_GLOBAL_INTEGER(lp_server_signing, &Globals.server_signing) | |
115 | FN_GLOBAL_INTEGER(lp_client_ldap_sasl_wrapping, &Globals.client_ldap_sasl_wrapping) | |
116 | ||
117 | -- | |
118 | 2.8.1 | |
119 | ||
120 | ||
121 | From 633fcce5f7f488738ef8f45393aa8990e01118f4 Mon Sep 17 00:00:00 2001 | |
122 | From: Andreas Schneider <asn@samba.org> | |
123 | Date: Tue, 5 Apr 2016 10:46:53 +0200 | |
124 | Subject: [PATCH 2/4] CVE-2016-2115: s3: Use lp_client_ipc_signing() if we are | |
125 | not an smb client | |
126 | ||
127 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 | |
128 | ||
129 | Pair-Programmed-With: Ralph Boehme <slow@samba.org> | |
130 | Signed-off-by: Andreas Schneider <asn@samba.org> | |
131 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
132 | --- | |
133 | source3/param/loadparm.c | 14 ++++++++++++++ | |
134 | source3/rpc_server/spoolss/srv_spoolss_nt.c | 2 +- | |
135 | 2 files changed, 15 insertions(+), 1 deletion(-) | |
136 | ||
137 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
138 | index a612e5a3..c58f860 100644 | |
139 | --- a/source3/param/loadparm.c | |
140 | +++ b/source3/param/loadparm.c | |
141 | @@ -9712,6 +9712,20 @@ static bool lp_load_ex(const char *pszFname, | |
142 | lp_do_parameter(GLOBAL_SECTION_SNUM, "wins server", "127.0.0.1"); | |
143 | } | |
144 | ||
145 | + if (!lp_is_in_client()) { | |
146 | + switch (lp_client_ipc_signing()) { | |
147 | + case Required: | |
148 | + lp_set_cmdline("client signing", "mandatory"); | |
149 | + break; | |
150 | + case Auto: | |
151 | + lp_set_cmdline("client signing", "auto"); | |
152 | + break; | |
153 | + case False: | |
154 | + lp_set_cmdline("client signing", "disabled"); | |
155 | + break; | |
156 | + } | |
157 | + } | |
158 | + | |
159 | init_iconv(); | |
160 | ||
161 | bAllowIncludeRegistry = true; | |
162 | diff --git a/source3/rpc_server/spoolss/srv_spoolss_nt.c b/source3/rpc_server/spoolss/srv_spoolss_nt.c | |
163 | index 181a7b5..a0fcf27 100644 | |
164 | --- a/source3/rpc_server/spoolss/srv_spoolss_nt.c | |
165 | +++ b/source3/rpc_server/spoolss/srv_spoolss_nt.c | |
166 | @@ -2480,7 +2480,7 @@ static bool spoolss_connect_to_client(struct rpc_pipe_client **pp_pipe, | |
167 | "", /* username */ | |
168 | "", /* domain */ | |
169 | "", /* password */ | |
170 | - 0, lp_client_signing()); | |
171 | + 0, False); | |
172 | ||
173 | if ( !NT_STATUS_IS_OK( ret ) ) { | |
174 | DEBUG(2,("spoolss_connect_to_client: connection to [%s] failed!\n", | |
175 | -- | |
176 | 2.8.1 | |
177 | ||
178 | ||
179 | From e319838866bdd3f5f1602b441516d07a1171ab24 Mon Sep 17 00:00:00 2001 | |
180 | From: Ralph Boehme <slow@samba.org> | |
181 | Date: Thu, 31 Mar 2016 11:30:03 +0200 | |
182 | Subject: [PATCH 3/4] CVE-2016-2115: s3/param: pick up s4 option "winbind | |
183 | sealed pipes" | |
184 | ||
185 | This will be used in the next commit to prevent mitm attacks on on lsa, | |
186 | samr and netlogon in winbindd. | |
187 | ||
188 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11756 | |
189 | ||
190 | Signed-off-by: Ralph Boehme <slow@samba.org> | |
191 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | |
192 | Reviewed-by: Andreas Schneider <asn@samba.org> | |
193 | --- | |
194 | docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | 15 +++++++++++++++ | |
195 | source3/include/proto.h | 1 + | |
196 | source3/param/loadparm.c | 12 ++++++++++++ | |
197 | 3 files changed, 28 insertions(+) | |
198 | create mode 100644 docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | |
199 | ||
200 | diff --git a/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | |
201 | new file mode 100644 | |
202 | index 0000000..016ac9b | |
203 | --- /dev/null | |
204 | +++ b/docs-xml/smbdotconf/winbind/winbindsealedpipes.xml | |
205 | @@ -0,0 +1,15 @@ | |
206 | +<samba:parameter name="winbind sealed pipes" | |
207 | + context="G" | |
208 | + type="boolean" | |
209 | + xmlns:samba="http://www.samba.org/samba/DTD/samba-doc"> | |
210 | +<description> | |
211 | + <para>This option controls whether any requests from winbindd to domain controllers | |
212 | + pipe will be sealed. Disabling sealing can be useful for debugging | |
213 | + purposes.</para> | |
214 | + | |
215 | + <para>The behavior can be controlled per netbios domain | |
216 | + by using 'winbind sealed pipes:NETBIOSDOMAIN = no' as option.</para> | |
217 | +</description> | |
218 | + | |
219 | +<value type="default">yes</value> | |
220 | +</samba:parameter> | |
221 | diff --git a/source3/include/proto.h b/source3/include/proto.h | |
222 | index af950aa..ac1540f 100644 | |
223 | --- a/source3/include/proto.h | |
224 | +++ b/source3/include/proto.h | |
225 | @@ -1690,6 +1690,7 @@ int lp_winbind_cache_time(void); | |
226 | int lp_winbind_reconnect_delay(void); | |
227 | int lp_winbind_max_clients(void); | |
228 | const char **lp_winbind_nss_info(void); | |
229 | +bool lp_winbind_sealed_pipes(void); | |
230 | int lp_algorithmic_rid_base(void); | |
231 | int lp_name_cache_timeout(void); | |
232 | int lp_client_signing(void); | |
233 | diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c | |
234 | index c58f860..fdc9407 100644 | |
235 | --- a/source3/param/loadparm.c | |
236 | +++ b/source3/param/loadparm.c | |
237 | @@ -215,6 +215,7 @@ struct global { | |
238 | int winbind_expand_groups; | |
239 | bool bWinbindRefreshTickets; | |
240 | bool bWinbindOfflineLogon; | |
241 | + bool bWinbindSealedPipes; | |
242 | bool bWinbindNormalizeNames; | |
243 | bool bWinbindRpcOnly; | |
244 | bool bCreateKrb5Conf; | |
245 | @@ -4775,6 +4776,15 @@ static struct parm_struct parm_table[] = { | |
246 | .flags = FLAG_ADVANCED, | |
247 | }, | |
248 | { | |
249 | + .label = "winbind sealed pipes", | |
250 | + .type = P_BOOL, | |
251 | + .p_class = P_GLOBAL, | |
252 | + .ptr = &Globals.bWinbindSealedPipes, | |
253 | + .special = NULL, | |
254 | + .enum_list = NULL, | |
255 | + .flags = FLAG_ADVANCED, | |
256 | + }, | |
257 | + { | |
258 | .label = "winbind normalize names", | |
259 | .type = P_BOOL, | |
260 | .p_class = P_GLOBAL, | |
261 | @@ -5468,6 +5478,7 @@ static void init_globals(bool reinit_globals) | |
262 | Globals.szWinbindNssInfo = str_list_make_v3(NULL, "template", NULL); | |
263 | Globals.bWinbindRefreshTickets = False; | |
264 | Globals.bWinbindOfflineLogon = False; | |
265 | + Globals.bWinbindSealedPipes = True; | |
266 | ||
267 | Globals.iIdmapCacheTime = 86400 * 7; /* a week by default */ | |
268 | Globals.iIdmapNegativeCacheTime = 120; /* 2 minutes by default */ | |
269 | @@ -5747,6 +5758,7 @@ FN_GLOBAL_BOOL(lp_winbind_nested_groups, &Globals.bWinbindNestedGroups) | |
270 | FN_GLOBAL_INTEGER(lp_winbind_expand_groups, &Globals.winbind_expand_groups) | |
271 | FN_GLOBAL_BOOL(lp_winbind_refresh_tickets, &Globals.bWinbindRefreshTickets) | |
272 | FN_GLOBAL_BOOL(lp_winbind_offline_logon, &Globals.bWinbindOfflineLogon) | |
273 | +FN_GLOBAL_BOOL(lp_winbind_sealed_pipes, &Globals.bWinbindSealedPipes) | |
274 | FN_GLOBAL_BOOL(lp_winbind_normalize_names, &Globals.bWinbindNormalizeNames) | |
275 | FN_GLOBAL_BOOL(lp_winbind_rpc_only, &Globals.bWinbindRpcOnly) | |
276 | FN_GLOBAL_BOOL(lp_create_krb5_conf, &Globals.bCreateKrb5Conf) | |
277 | -- | |
278 | 2.8.1 | |
279 | ||
280 | ||
281 | From b47d8644e6a826f01dae3911fc510a7b2ff60273 Mon Sep 17 00:00:00 2001 | |
282 | From: Andrew Bartlett <abartlet@samba.org> | |
283 | Date: Fri, 5 Sep 2014 17:00:31 +1200 | |
284 | Subject: [PATCH 4/4] CVE-2016-2115: winbindd: Do not make anonymous | |
285 | connections by default | |
286 | ||
287 | The requirement is that we have "winbind sealed pipes = false" and | |
288 | "require strong key = false" before we make anonymous connections. | |
289 | These are a security risk as we cannot prevent MITM attacks. | |
290 | ||
291 | BUG: https://bugzilla.samba.org/show_bug.cgi?id=11796 | |
292 | ||
293 | Signed-off-by: Andrew Bartlett <abartlet@samba.org> | |
294 | Reviewed-by: Stefan Metzmacher <metze@samba.org> | |
295 | (backported from commit e2cd3257141bd4a88cda1fff5bde9df60b253a97) | |
296 | --- | |
297 | source3/winbindd/winbindd_cm.c | 32 +++++++++++++++++++++++++++++++- | |
298 | 1 file changed, 31 insertions(+), 1 deletion(-) | |
299 | ||
300 | diff --git a/source3/winbindd/winbindd_cm.c b/source3/winbindd/winbindd_cm.c | |
301 | index 8271279..50a341e 100644 | |
302 | --- a/source3/winbindd/winbindd_cm.c | |
303 | +++ b/source3/winbindd/winbindd_cm.c | |
304 | @@ -2384,6 +2384,15 @@ NTSTATUS cm_connect_sam(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, | |
305 | TALLOC_FREE(conn->samr_pipe); | |
306 | ||
307 | anonymous: | |
308 | + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { | |
309 | + status = NT_STATUS_DOWNGRADE_DETECTED; | |
310 | + DEBUG(1, ("Unwilling to make SAMR connection to domain %s " | |
311 | + "without connection level security, " | |
312 | + "must set 'winbind sealed pipes = false' " | |
313 | + "to proceed: %s\n", | |
314 | + domain->name, nt_errstr(status))); | |
315 | + goto done; | |
316 | + } | |
317 | ||
318 | /* Finally fall back to anonymous. */ | |
319 | status = cli_rpc_pipe_open_noauth(conn->cli, &ndr_table_samr.syntax_id, | |
320 | @@ -2610,6 +2619,16 @@ NTSTATUS cm_connect_lsa(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, | |
321 | ||
322 | anonymous: | |
323 | ||
324 | + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { | |
325 | + result = NT_STATUS_DOWNGRADE_DETECTED; | |
326 | + DEBUG(1, ("Unwilling to make LSA connection to domain %s " | |
327 | + "without connection level security, " | |
328 | + "must set 'winbind sealed pipes = false' " | |
329 | + "to proceed: %s\n", | |
330 | + domain->name, nt_errstr(result))); | |
331 | + goto done; | |
332 | + } | |
333 | + | |
334 | result = cli_rpc_pipe_open_noauth(conn->cli, | |
335 | &ndr_table_lsarpc.syntax_id, | |
336 | &conn->lsa_pipe); | |
337 | @@ -2749,7 +2768,18 @@ NTSTATUS cm_connect_netlogon(struct winbindd_domain *domain, | |
338 | ||
339 | no_schannel: | |
340 | if ((lp_client_schannel() == False) || | |
341 | - ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { | |
342 | + ((neg_flags & NETLOGON_NEG_SCHANNEL) == 0)) { | |
343 | + if (lp_winbind_sealed_pipes() && (IS_DC || domain->primary)) { | |
344 | + result = NT_STATUS_DOWNGRADE_DETECTED; | |
345 | + DEBUG(1, ("Unwilling to make connection to domain %s " | |
346 | + "without connection level security, " | |
347 | + "must set 'winbind sealed pipes = false' " | |
348 | + "to proceed: %s\n", | |
349 | + domain->name, nt_errstr(result))); | |
350 | + TALLOC_FREE(netlogon_pipe); | |
351 | + invalidate_cm_connection(conn); | |
352 | + return result; | |
353 | + } | |
354 | /* | |
355 | * NetSamLogonEx only works for schannel | |
356 | */ | |
357 | -- | |
358 | 2.8.1 | |
359 |