From: Stefan Metzmacher <metze@samba.org>
Date: Mon, 5 Dec 2022 20:45:08 +0000 (+0100)
Subject: CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos... 
X-Git-Tag: samba-4.15.13~55
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e2ac180984e36f54999e970eafb0f05ed90b0fd4;p=thirdparty%2Fsamba.git

CVE-2022-37966 libcli/auth: let netlogon_creds_cli_warn_options() about "kerberos encryption types=legacy"

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(cherry picked from commit 0248907e34945153ff2be62dc11d75c956a05932)

[abartlet@samba.org Added missing loadparm to netlogon_creds_cli]
---

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index df5f8a0fbfa..617e0ab6530 100644
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -39,6 +39,7 @@
 #include "libds/common/roles.h"
 #include "lib/crypto/md4.h"
 #include "auth/credentials/credentials.h"
+#include "lib/param/loadparm.h"
 
 struct netlogon_creds_cli_locked_state;
 
@@ -268,10 +269,12 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 	bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
 	int global_client_schannel = lpcfg_client_schannel(lp_ctx);
 	bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+	int global_kerberos_enctypes = lpcfg_kerberos_encryption_types(lp_ctx);
 	static bool warned_global_reject_md5_servers = false;
 	static bool warned_global_require_strong_key = false;
 	static bool warned_global_client_schannel = false;
 	static bool warned_global_seal_secure_channel = false;
+	static bool warned_global_kerberos_encryption_types = false;
 	static int warned_global_pid = 0;
 	int current_pid = getpid();
 
@@ -280,6 +283,7 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 		warned_global_require_strong_key = false;
 		warned_global_client_schannel = false;
 		warned_global_seal_secure_channel = false;
+		warned_global_kerberos_encryption_types = false;
 		warned_global_pid = current_pid;
 	}
 
@@ -322,6 +326,18 @@ void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
 			"See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
 		warned_global_seal_secure_channel = true;
 	}
+
+	if (global_kerberos_enctypes == KERBEROS_ETYPES_LEGACY &&
+	    !warned_global_kerberos_encryption_types)
+	{
+		/*
+		 * We want admins to notice their misconfiguration!
+		 */
+		DBG_ERR("CVE-2022-37966: "
+			"Please void 'kerberos encryption types = legacy', "
+			"See https://bugzilla.samba.org/show_bug.cgi?id=15237\n");
+		warned_global_kerberos_encryption_types = true;
+	}
 }
 
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,