git.samba.org - janger/samba-autobuild-v4-20-test/.git/commit

author	Andrew Bartlett <abartlet@samba.org>
	Tue, 12 Sep 2023 00:28:49 +0000 (12:28 +1200)
committer	Jule Anger <janger@samba.org>
	Mon, 9 Oct 2023 20:15:19 +0000 (22:15 +0200)
commit	4eba269b1ba4ce6e9f71efed9f537249d1bd2c5d
tree	4dd0e388deeaad1e5b0c3ca27ca7ddad1db86dcf	tree
parent	2ef556473bd858fc3dbcd6372835ded48f75135d	commit \| diff

CVE-2023-42670 s3-rpc_server: Strictly refuse to start RPC servers in conflict with AD DC

Just as we refuse to start NETLOGON except on the DC, we must refuse
to start all of the RPC services that are provided by the AD DC.

Most critically of course this applies to netlogon, lsa and samr.

This avoids the supression of these services being the result of a
runtime epmapper lookup, as if that fails these services can disrupt
service to end users by listening on the same socket as the AD DC
servers.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15473

Signed-off-by: Andrew Bartlett <abartlet@samba.org>

source3/rpc_server/rpcd_classic.c		diff \| blob \| history
source3/rpc_server/rpcd_epmapper.c		diff \| blob \| history
source3/rpc_server/rpcd_lsad.c		diff \| blob \| history
source3/rpc_server/rpcd_rpcecho.c		diff \| blob \| history