mirror of
https://github.com/openembedded/meta-openembedded.git
synced 2026-07-15 16:07:26 +00:00
samba: fix CVE-2023-0922
The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. References: https://nvd.nist.gov/vuln/detail/CVE-2023-0922 Upstream patches: https://github.com/samba-team/samba/commit/04e5a7eb03a Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com> Signed-off-by: Armin Kuster <akuster808@gmail.com>
This commit is contained in:
committed by
Armin Kuster
parent
306837707c
commit
c5008af2c5
@@ -0,0 +1,111 @@
|
|||||||
|
From 04e5a7eb03a1e913f34d77b7b6c2353b41ef546a Mon Sep 17 00:00:00 2001
|
||||||
|
From: Rob van der Linde <rob@catalyst.net.nz>
|
||||||
|
Date: Mon, 27 Feb 2023 14:06:23 +1300
|
||||||
|
Subject: [PATCH] CVE-2023-0922 set default ldap client sasl wrapping to seal
|
||||||
|
|
||||||
|
This avoids sending new or reset passwords in the clear
|
||||||
|
(integrity protected only) from samba-tool in particular.
|
||||||
|
|
||||||
|
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15315
|
||||||
|
|
||||||
|
Signed-off-by: Rob van der Linde <rob@catalyst.net.nz>
|
||||||
|
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
|
||||||
|
Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz>
|
||||||
|
|
||||||
|
CVE: CVE-2023-0922
|
||||||
|
|
||||||
|
Upstream-Status: Backport [https://github.com/samba-team/samba/commit/04e5a7eb03a]
|
||||||
|
|
||||||
|
Signed-off-by: Archana Polampalli <archana.polampalli@windriver.com>
|
||||||
|
---
|
||||||
|
.../ldap/clientldapsaslwrapping.xml | 27 +++++++++----------
|
||||||
|
lib/param/loadparm.c | 2 +-
|
||||||
|
python/samba/tests/auth_log.py | 2 +-
|
||||||
|
source3/param/loadparm.c | 2 +-
|
||||||
|
4 files changed, 16 insertions(+), 17 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
|
||||||
|
index 3152f06..21bd209 100644
|
||||||
|
--- a/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
|
||||||
|
+++ b/docs-xml/smbdotconf/ldap/clientldapsaslwrapping.xml
|
||||||
|
@@ -18,25 +18,24 @@
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
- This option is needed in the case of Domain Controllers enforcing
|
||||||
|
- the usage of signed LDAP connections (e.g. Windows 2000 SP3 or higher).
|
||||||
|
- LDAP sign and seal can be controlled with the registry key
|
||||||
|
- "<literal>HKLM\System\CurrentControlSet\Services\</literal>
|
||||||
|
- <literal>NTDS\Parameters\LDAPServerIntegrity</literal>"
|
||||||
|
- on the Windows server side.
|
||||||
|
- </para>
|
||||||
|
+ This option is needed firstly to secure the privacy of
|
||||||
|
+ administrative connections from <command>samba-tool</command>,
|
||||||
|
+ including in particular new or reset passwords for users. For
|
||||||
|
+ this reason the default is <emphasis>seal</emphasis>.</para>
|
||||||
|
|
||||||
|
- <para>
|
||||||
|
- Depending on the used KRB5 library (MIT and older Heimdal versions)
|
||||||
|
- it is possible that the message "integrity only" is not supported.
|
||||||
|
- In this case, <emphasis>sign</emphasis> is just an alias for
|
||||||
|
- <emphasis>seal</emphasis>.
|
||||||
|
+ <para>Additionally, <command>winbindd</command> and the
|
||||||
|
+ <command>net</command> tool can use LDAP to communicate with
|
||||||
|
+ Domain Controllers, so this option also controls the level of
|
||||||
|
+ privacy for those connections. All supported AD DC versions
|
||||||
|
+ will enforce the usage of at least signed LDAP connections by
|
||||||
|
+ default, so a value of at least <emphasis>sign</emphasis> is
|
||||||
|
+ required in practice.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
- The default value is <emphasis>sign</emphasis>. That implies synchronizing the time
|
||||||
|
+ The default value is <emphasis>seal</emphasis>. That implies synchronizing the time
|
||||||
|
with the KDC in the case of using <emphasis>Kerberos</emphasis>.
|
||||||
|
</para>
|
||||||
|
</description>
|
||||||
|
-<value type="default">sign</value>
|
||||||
|
+<value type="default">seal</value>
|
||||||
|
</samba:parameter>
|
||||||
|
diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c
|
||||||
|
index 75687f5..d260691 100644
|
||||||
|
--- a/lib/param/loadparm.c
|
||||||
|
+++ b/lib/param/loadparm.c
|
||||||
|
@@ -2970,7 +2970,7 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||||
|
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "ldap debug threshold", "10");
|
||||||
|
|
||||||
|
- lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "sign");
|
||||||
|
+ lpcfg_do_global_parameter(lp_ctx, "client ldap sasl wrapping", "seal");
|
||||||
|
|
||||||
|
lpcfg_do_global_parameter(lp_ctx, "mdns name", "netbios");
|
||||||
|
|
||||||
|
diff --git a/python/samba/tests/auth_log.py b/python/samba/tests/auth_log.py
|
||||||
|
index 8ac76fe..d2db380 100644
|
||||||
|
--- a/python/samba/tests/auth_log.py
|
||||||
|
+++ b/python/samba/tests/auth_log.py
|
||||||
|
@@ -471,7 +471,7 @@ class AuthLogTests(samba.tests.auth_log_base.AuthLogTestBase):
|
||||||
|
def isLastExpectedMessage(msg):
|
||||||
|
return (msg["type"] == "Authorization" and
|
||||||
|
msg["Authorization"]["serviceDescription"] == "LDAP" and
|
||||||
|
- msg["Authorization"]["transportProtection"] == "SIGN" and
|
||||||
|
+ msg["Authorization"]["transportProtection"] == "SEAL" and
|
||||||
|
msg["Authorization"]["authType"] == "krb5")
|
||||||
|
|
||||||
|
self.samdb = SamDB(url="ldap://%s" % os.environ["SERVER"],
|
||||||
|
diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c
|
||||||
|
index a99ab35..c47c5f6 100644
|
||||||
|
--- a/source3/param/loadparm.c
|
||||||
|
+++ b/source3/param/loadparm.c
|
||||||
|
@@ -754,7 +754,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
||||||
|
Globals.ldap_debug_level = 0;
|
||||||
|
Globals.ldap_debug_threshold = 10;
|
||||||
|
|
||||||
|
- Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SIGN;
|
||||||
|
+ Globals.client_ldap_sasl_wrapping = ADS_AUTH_SASL_SEAL;
|
||||||
|
|
||||||
|
Globals.ldap_server_require_strong_auth =
|
||||||
|
LDAP_SERVER_REQUIRE_STRONG_AUTH_YES;
|
||||||
|
--
|
||||||
|
2.40.0
|
||||||
|
|
||||||
@@ -58,6 +58,7 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
|
|||||||
file://CVE-2018-14628-0004.patch \
|
file://CVE-2018-14628-0004.patch \
|
||||||
file://CVE-2018-14628-0005.patch \
|
file://CVE-2018-14628-0005.patch \
|
||||||
file://CVE-2018-14628-0006.patch \
|
file://CVE-2018-14628-0006.patch \
|
||||||
|
file://CVE-2023-0922.patch \
|
||||||
"
|
"
|
||||||
|
|
||||||
SRC_URI:append:libc-musl = " \
|
SRC_URI:append:libc-musl = " \
|
||||||
|
|||||||
Reference in New Issue
Block a user