git.samba.org - metze/samba/wip.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)
committer	Jule Anger <janger@samba.org>
	Sun, 8 Oct 2023 20:07:09 +0000 (22:07 +0200)
commit	08f4f363fa6e2ee62a6e32db577ee12e26927735
tree	6c6adda8da82932db4fcd021a0eb3b6e67a76f3c	tree
parent	6ff5eed9c5dbb5b8b27ef34586e63208e958dc2e	commit \| diff

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

source3/rpc_server/rpcd_classic.c		diff \| blob \| history
source3/rpc_server/rpcd_epmapper.c		diff \| blob \| history
source3/rpc_server/rpcd_lsad.c		diff \| blob \| history
source3/rpc_server/rpcd_rpcecho.c		diff \| blob \| history