git.ipfire.org Git - thirdparty/samba.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)
committer	Jule Anger <janger@samba.org>
	Mon, 9 Oct 2023 20:16:08 +0000 (22:16 +0200)
commit	51bc79f85a8d63ed5428c2975f60094157dda2e5
tree	dd0435866f00cf2ace4bdf810885ff9e11e18746	tree \| snapshot
parent	d4d49635247ab4bc580899d7c5fb54484b806225	commit \| diff

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

source3/rpc_server/rpcd_classic.c		diff \| blob \| blame \| history
source3/rpc_server/rpcd_epmapper.c		diff \| blob \| blame \| history
source3/rpc_server/rpcd_lsad.c		diff \| blob \| blame \| history
source3/rpc_server/rpcd_rpcecho.c		diff \| blob \| blame \| history