CVE-2022-38023 libcli/auth: add/use netlogon_creds_cli_warn_options()

This warns the admin about insecure options

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
(similar to commit 7e7adf86e59e8a673fbe87de46cef0d62221e800)
[jsutton@samba.org Replaced call to tevent_cached_getpid() with one to
 getpid()]

diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c
index f8b7bc2133ed64a1eedf1a010e9b018e20cba22b..3c3908ea735b924e004209754b63223627b877ea 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.c
+++ b/libcli/auth/netlogon_creds_cli.c
@@ -204,6 +204,8 @@ static struct db_context *netlogon_creds_cli_global_db;
 NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx,
                                          struct db_context **db)
 {
+       netlogon_creds_cli_warn_options(lp_ctx);
+
        if (netlogon_creds_cli_global_db != NULL) {
                return NT_STATUS_INVALID_PARAMETER_MIX;
        }
@@ -218,6 +220,8 @@ NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx)
        struct db_context *global_db;
        int hash_size, tdb_flags;
 
+       netlogon_creds_cli_warn_options(lp_ctx);
+
        if (netlogon_creds_cli_global_db != NULL) {
                return NT_STATUS_OK;
        }
@@ -258,6 +262,68 @@ void netlogon_creds_cli_close_global_db(void)
        TALLOC_FREE(netlogon_creds_cli_global_db);
 }
 
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx)
+{
+       bool global_reject_md5_servers = lpcfg_reject_md5_servers(lp_ctx);
+       bool global_require_strong_key = lpcfg_require_strong_key(lp_ctx);
+       int global_client_schannel = lpcfg_client_schannel(lp_ctx);
+       bool global_seal_secure_channel = lpcfg_winbind_sealed_pipes(lp_ctx);
+       static bool warned_global_reject_md5_servers = false;
+       static bool warned_global_require_strong_key = false;
+       static bool warned_global_client_schannel = false;
+       static bool warned_global_seal_secure_channel = false;
+       static int warned_global_pid = 0;
+       int current_pid = getpid();
+
+       if (warned_global_pid != current_pid) {
+               warned_global_reject_md5_servers = false;
+               warned_global_require_strong_key = false;
+               warned_global_client_schannel = false;
+               warned_global_seal_secure_channel = false;
+               warned_global_pid = current_pid;
+       }
+
+       if (!global_reject_md5_servers && !warned_global_reject_md5_servers) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               DBG_ERR("CVE-2022-38023 (and others): "
+                       "Please configure 'reject md5 servers = yes' (the default), "
+                       "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+               warned_global_reject_md5_servers = true;
+       }
+
+       if (!global_require_strong_key && !warned_global_require_strong_key) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               DBG_ERR("CVE-2022-38023 (and others): "
+                       "Please configure 'require strong key = yes' (the default), "
+                       "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+               warned_global_require_strong_key = true;
+       }
+
+       if (global_client_schannel != true && !warned_global_client_schannel) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               DBG_ERR("CVE-2022-38023 (and others): "
+                       "Please configure 'client schannel = yes' (the default), "
+                       "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+               warned_global_client_schannel = true;
+       }
+
+       if (!global_seal_secure_channel && !warned_global_seal_secure_channel) {
+               /*
+                * We want admins to notice their misconfiguration!
+                */
+               DBG_ERR("CVE-2022-38023 (and others): "
+                       "Please configure 'winbind sealed pipes = yes' (the default), "
+                       "See https://bugzilla.samba.org/show_bug.cgi?id=15240\n");
+               warned_global_seal_secure_channel = true;
+       }
+}
+
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
                                struct messaging_context *msg_ctx,
                                const char *client_account,

diff --git a/libcli/auth/netlogon_creds_cli.h b/libcli/auth/netlogon_creds_cli.h
index 3e401dabe9c35d105c2a7ae6a49ae3e2d312b937..fed3e77fa58a08c2c3f9d9c3c342f0355db62188 100644 (file)
--- a/libcli/auth/netlogon_creds_cli.h
+++ b/libcli/auth/netlogon_creds_cli.h
@@ -35,6 +35,8 @@ NTSTATUS netlogon_creds_cli_set_global_db(struct loadparm_context *lp_ctx, struc
 NTSTATUS netlogon_creds_cli_open_global_db(struct loadparm_context *lp_ctx);
 void netlogon_creds_cli_close_global_db(void);
 
+void netlogon_creds_cli_warn_options(struct loadparm_context *lp_ctx);
+
 NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx,
                                struct messaging_context *msg_ctx,
                                const char *client_account,