git.samba.org - samba.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)
committer	Jule Anger <janger@samba.org>
	Sun, 8 Oct 2023 20:07:05 +0000 (22:07 +0200)
commit	614d9c2235757510579e6d5122d6ec3c6be50105
tree	c7c0f929c046564a495ba32860fc6f6adcd00be3	tree
parent	2e2a9feecff6dda90ef27ee7534a69bc4c3ee960	commit \| diff

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

source3/rpc_server/rpcd_classic.c		diff \| blob \| history
source3/rpc_server/rpcd_epmapper.c		diff \| blob \| history
source3/rpc_server/rpcd_lsad.c		diff \| blob \| history
source3/rpc_server/rpcd_rpcecho.c		diff \| blob \| history